Thousands of FortiCloud SSO Devices Vulnerable to Remote Hacks
▼ Summary
– Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online and vulnerable to active attacks exploiting a critical authentication bypass flaw.
– The vulnerability (CVE-2025-59718/CVE-2025-59719) allows attackers to gain admin access via malicious SSO logins and steal sensitive system configuration files.
– The U.S. cybersecurity agency CISA has ordered federal agencies to patch this flaw within a week due to its active exploitation.
– Researchers note it is surprising that so many vulnerable administrative interfaces remain publicly accessible, given Fortinet’s history of exploited flaws.
– Fortinet vulnerabilities are frequently targeted by advanced threat actors, including Chinese state-sponsored groups and ransomware operators.
A significant number of internet-facing Fortinet security appliances remain at risk due to a critical authentication bypass flaw. Cybersecurity researchers have identified tens of thousands of devices with the vulnerable FortiCloud Single Sign-On (SSO) feature enabled, creating a massive attack surface for threat actors. This exposure comes amid confirmed active exploitation of the vulnerabilities, prompting urgent patching directives from government agencies.
The security flaws, tracked as CVE-2025-59718 and CVE-2025-59719, affect FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb products. Fortinet initially noted that the problematic SSO login feature is not active until a device is registered with the FortiCare support portal. However, threat actors are now actively exploiting the vulnerability. They are using maliciously crafted SAML messages to bypass authentication entirely, granting them administrative access to the web management interface.
Once inside, attackers can download critical system configuration files. These files are a treasure trove of sensitive data, revealing internal network layouts, firewall policies, internet-facing services, and hashed passwords that could be cracked offline. This information significantly aids in further network penetration and lateral movement.
Internet monitoring by the Shadowserver Foundation currently shows over 25,000 IP addresses with the vulnerable FortiCloud SSO fingerprint exposed online. The United States hosts the largest number, with more than 5,400 instances, followed by India with nearly 2,000. Independent scans by Macnica threat researcher Yutaka Sejiyama found an even higher figure, exceeding 30,000 exposed devices. Sejiyama expressed concern, stating it is surprising that so many administrative interfaces remain publicly accessible given the history of FortiOS GUI vulnerabilities being heavily targeted.
The severity of the active attacks has triggered a formal response from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The agency added the flaws to its Known Exploited Vulnerabilities catalog, mandating all federal civilian agencies to apply patches by December 23. This directive falls under Binding Operational Directive 22-01, which enforces strict deadlines for addressing critical security flaws.
Fortinet products are a frequent target for advanced persistent threat groups, cybercriminals, and ransomware operators, often before patches are even available. Earlier this year, the Chinese state-sponsored group Volt Typhoon exploited two separate FortiOS SSL VPN zero-days to implant malware on a Dutch military network. More recently, in November, Fortinet warned that a different FortiWeb zero-day was being actively exploited in the wild, just one week after acknowledging it had quietly patched another widely abused FortiWeb flaw. This pattern underscores the critical importance of rapid patch deployment for all Fortinet security updates.
(Source: Bleeping Computer)
