Two recently disclosed vulnerabilities discovered in Fortinet’s product portfolio have prompted a pre-holiday warning for defenders after being added to the Known Exploited Vulnerabilities (KEV) catalogue run by the US’ national cyber agency this week.
The two flaws, tracked as CVE-2025-59718 and CVE-2025-59719, enable a threat actor to bypass FortiCloud single sign-on (SSO) authentication via a maliciously crafted security assertion markup language (SAML) message. According to Fortinet, they are present in multiple versions of FortiOS, FortiWeb, FortiProxy and FortiSwitchManager.
It should be noted that while the vulnerable feature is not enabled by default in factory settings, it does activate automatically if and when a device is registered to the FortiCare tech service via the GUI unless the customer admin has explicitly opted out of this.
In a statement, the US Cybersecurity and Infrastructure Security Agency (CISA) said: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
Initially reported by Fortinet on 9 December, multiple third parties are now reporting exploitation activity in progress against CVE-2025-59718 and CVE-2025-59719.
According to Rapid7 analysts – who have been trapping multiple exploit attempts against its honeypots after a proof-of-concept exploit was posted to GitHub, many of the observed attacks have seen attackers authenticate as the admin user and immediately download the target’s system configuration file – these can often hold hashed credentials.
“As a result, any organisation with indicators of compromise [IOCs] must assume credential exposure and respond accordingly. A vendor patch is available, and organisations can also take immediate defensive action by disabling FortiCloud SSO administrative login while remediation efforts are underway,” said the Rapid7 team.
Arctic Wolf researchers said that besides applying the available updates from Fortinet, organisations finding that they are affected should reset their firewall credentials as a precaution, on the basis that they may have been compromised and exfiltrated, and limit access to firewall and virtual private network (VPN) appliances to trusted internal users.
As its products are deeply embedded in many networks Fortinet is frequently targeted by threat actors as an initial access point to their victims’ wider IT environments, so further attempts against the latest pair of flaws are considered highly likely.
Christmas presents
Besides the Fortinet authentication bypass issues, CISA has added a few more high-profile flaws to the KEV catalogue in the run-up to the festive break.
These include CVE-2025-69374, an embedded malicious code vulnerability that has arisen in ASUS Live Update after unauthorised modifications were made in a supply chain cyber attack.
Multiple Cisco products, including AsyncOS software, Cisco Secure Email Gateway and Secure Email, and Web Manager appliances are at risk from an input validation vulnerability, tracked as CVE-2025-20393, via which a threat actor may be able to execute arbitrary commands with root privileges.
Finally, SonicWall users should address CVE-2025-40602, a missing authorisation flaw enabling privilege escalation on the appliance management console of SMA1000 series secure access gateways.
At the time of writing, none of the above-listed vulnerabilities have been observed being used in ransomware attacks.
