FortiOS authentication bypass (CVE-2025-59718, active exploitation)
Vulnerability
Summary
Hide ▲
Show ▼
FortiOS is affected by CVE-2025-59718, an authentication bypass tied to FortiCloud SSO on FortiOS, FortiProxy, FortiSwitchManager, with related patching also covering CVE-2025-59719 in FortiWeb. Arctic Wolf and Shadowserver reported active exploitation and found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, including large concentrations in the United States and India. The abuse uses a maliciously crafted SAML message to reach admin-level access on the web management interface and download sensitive configuration files. CISA has added the flaw to its actively exploited catalog, and Fortinet said the vulnerable FortiCloud SSO login feature is only enabled after admins register the device with FortiCare.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet credential-theft campaign
Campaign
H score89
First: 19.06.2026 13:48
Last: 19.06.2026 13:48
Sources 1
About this happening:
The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
FortiBleed Fortinet credential-theft campaign
CampaignAbout this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
Latest development: 22.06.2026 11:30
The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.
Timeline
-
10.03.2026 18:21 1 articles · 4mo ago
FortiGate exploitation campaign steals credentials and deploys remote access tools
Campaign Scope UpdateThreat actors abused FortiGate Next-Generation Firewall appliances as entry points to steal configuration files and service account credentials from healthcare, government, and managed service provider environments, using known vulnerabilities such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 or weak credentials; in one intrusion they created a local administrator account named support, in another they deployed Pulseway and MeshAgent, and another case involved exfiltrating NTDS.dit and the SYSTEM registry hive to 172.67.196[.]232 over port 443.
Show sources
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials — thehackernews.com — 10.03.2026 18:21
-
21.01.2026 19:49 4 articles · 5mo ago
FortiOS CVE-2025-59718 compromise reports on FortiGate systems
Initial DisclosureFortiGate administrators reported that systems running FortiOS 7.4.9 and 7.4.10 were still being compromised through CVE-2025-59718, with a malicious SSO login creating a local admin account on an affected FortiGate and a SIEM flagging the unauthorized user creation. Fortinet was also said to be preparing FortiOS 7.4.11, 7.6.6, and 8.0.0 to fully close the authentication bypass, while prior December 2025 exploitation via maliciously crafted SAML messages provided additional context for the active abuse.
Show sources
- Fortinet admins report patched FortiGate firewalls getting hacked — www.bleepingcomputer.com — 21.01.2026 19:49
- Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations — thehackernews.com — 22.01.2026 07:55
- Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls — thehackernews.com — 23.01.2026 14:30
- Over 25,000 FortiCloud SSO devices exposed to remote attacks — www.bleepingcomputer.com — 19.12.2025 17:00