Critical Fortinet Vulnerabilities Under Active Exploitation: A Deep Dive & Mitigation Guide
The holiday season has brought a stark warning to cybersecurity professionals: critical vulnerabilities in Fortinet products are being actively exploited in the wild. These flaws, alongside several others recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, demand immediate attention. This article provides a comprehensive overview of the situation, offering actionable insights for organizations to protect their networks.
Fortinet Authentication Bypass: CVE-2025-59718 & CVE-2025-59719 – A Serious Threat
Two meaningful vulnerabilities, CVE-2025-59718 and CVE-2025-59719, have been identified in multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These vulnerabilities allow attackers to bypass FortiCloud single sign-on (SSO) authentication by crafting malicious Security Assertion Markup Language (SAML) messages.
The severity of this issue cannot be overstated.The US Cybersecurity and Infrastructure Security Agency (CISA) has explicitly flagged these vulnerabilities as a “frequent attack vector” posing “significant risks to the federal enterprise.” And, unfortunately, exploitation is already happening.
How the Vulnerability Works & why You’re Potentially at Risk
While the vulnerable feature isn’t enabled by default, it automatically activates when a Fortinet device is registered with FortiCare tech support through the GUI – unless a customer specifically opts out. This means a significant number of organizations may unknowingly be exposed.
Recent reports from security researchers at Rapid7 and Arctic Wolf confirm active exploitation attempts. Rapid7’s honeypots have been inundated with exploit attempts following the public release of a proof-of-concept exploit on GitHub. A particularly alarming tactic observed by Rapid7 is attackers authenticating as the ‘admin’ user and promptly downloading the system configuration file. This file frequently enough contains hashed credentials, potentially granting attackers broad access to the network.
What You need to Do now
Given the active exploitation and potential for credential compromise, a swift and decisive response is crucial. Here’s a breakdown of recommended actions:
* Apply the Vendor Patch: Fortinet has released a patch to address these vulnerabilities. Prioritize patching affected systems immediately. This is the most effective long-term solution.
* Disable forticloud SSO Administrative Login (temporary Mitigation): While patching is underway, disable FortiCloud SSO administrative login. This will prevent attackers from exploiting the vulnerability,even if they have identified a vulnerable system.
* assume Credential Exposure & Respond Accordingly: if you have indicators of compromise (IOCs), assume your credentials have been compromised. Force password resets for all administrative accounts, especially those with privileged access.
* Review Firewall Logs: Thoroughly examine firewall logs for suspicious activity, focusing on login attempts, configuration file downloads, and unusual network traffic.
* Limit Access to Critical Appliances: Restrict access to firewall and VPN appliances to trusted internal users only. Implement multi-factor authentication (MFA) wherever possible.
Beyond Fortinet: Other Newly Added KEV Vulnerabilities
The Fortinet vulnerabilities aren’t the only concerns. CISA has recently added several other high-profile flaws to the KEV catalogue, requiring attention:
* ASUS Live Update (CVE-2025-69374): This vulnerability involves embedded malicious code resulting from a supply chain attack targeting ASUS Live Update. Ensure your systems are updated and monitor for any signs of compromise.
* Cisco Products (CVE-2025-20393): Multiple Cisco products, including AsyncOS software, Secure Email Gateway, and Web Manager appliances, are vulnerable to an input validation flaw that could allow attackers to execute arbitrary commands with root privileges. Apply the necessary patches immediately.
* SonicWall SMA1000 Series (CVE-2025-40602): A missing authorization flaw in SonicWall SMA1000 series secure access gateways allows for privilege escalation. Address this vulnerability promptly to prevent unauthorized access.
Why Fortinet is a Frequent Target & what to Expect
Fortinet products are widely deployed and deeply integrated into many networks, making them a prime target for threat actors seeking initial access to larger IT environments. Given this reality, we can expect continued attempts to exploit these and other vulnerabilities in Fortinet products.
**Staying ahead of the Curve
