Fortinet CVE-2025-59718 mitigation guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Fortinet told customers to immediately harden FortiCloud SSO exposure for CVE-2025-59718, because attackers are still abusing the flaw against fully patched firewalls. The guidance tells admins to restrict Internet-facing administrative access with a local-in policy and disable FortiCloud SSO until the issue is fully remediated. Fortinet also said affected operators should treat devices as compromised if the listed indicators appear and rotate credentials and restore a known clean configuration.
Related Happenings
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Fortinet security patch release for CVE-2026-39813
Security Patch Release
H score41
First: 16.06.2026 12:19
Last: 16.06.2026 12:19
Sources 1
About this happening:
**Fortinet** released **April 14** security updates for **FortiSandbox**, covering **CVE-2026-39813**, **CVE-2026-39808**, and **CVE-2026-25089**. The patch release fixes **three...
Fortinet security patch release for CVE-2026-39813
Security Patch ReleaseAbout this happening: **Fortinet** released **April 14** security updates for **FortiSandbox**, covering **CVE-2026-39813**, **CVE-2026-39808**, and **CVE-2026-25089**. The patch release fixes **three...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation Wave
H score56
First: 28.05.2026 18:26
Last: 28.05.2026 18:26
Sources 1
About this happening:
**CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
Timeline
-
23.01.2026 12:39 1 articles · 5mo ago
FortiCloud SSO bypass exploitation begins
Exploitation ObservedAttackers began exploiting CVE-2025-59718 against fully patched Fortinet firewalls, creating VPN-capable accounts and stealing firewall configurations within seconds, which points to likely automated abuse of a FortiCloud SSO authentication bypass.
Show sources
- Fortinet confirms critical FortiCloud auth bypass not fully patched — www.bleepingcomputer.com — 23.01.2026 12:39
-
23.01.2026 12:39 4 articles · 5mo ago
Fortinet issues CVE-2025-59718 hardening guidance
Mitigation Patch UpdateFortinet said fully upgraded devices were affected by a new attack path tied to CVE-2025-59718, confirmed it is working on a fix, and told customers to restrict Internet-facing administrative access with a local-in policy, disable the FortiCloud SSO login option, and treat exposed systems and configurations as compromised if the listed indicators appear.
Show sources
- Fortinet confirms critical FortiCloud auth bypass not fully patched — www.bleepingcomputer.com — 23.01.2026 12:39
- Fortinet confirms critical FortiCloud auth bypass not fully patched — www.bleepingcomputer.com — 23.01.2026 12:39
- Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws — thehackernews.com — 10.12.2025 06:50
- Hackers exploit newly patched Fortinet auth bypass flaws — www.bleepingcomputer.com — 16.12.2025 17:57