Over 25,000 FortiCloud SSO Devices Exposed to Remote Attacks
Summary:
A critical authentication bypass vulnerability (tracked as CVE-2025-59718 and CVE-2025-59719) has been discovered affecting Fortinet devices with the FortiCloud SSO (Single Sign-On) feature enabled. The vulnerability stems from the "improper verification of cryptographic signature" within vulnerable Fortinet products. Attackers can bypass authentication by sending a maliciously crafted SAML message.
As of December 2024/2025, security watchdogs (like Shadowserver) have identified over 25,000 Fortinet devices exposed online that have this specific fingerprint. The vulnerability is being actively exploited in the wild, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog.
Security Officer Comments:
The impact of this vulnerability is critical because it grants attackers administrative control without requiring valid credentials. Exploitation allows an unauthenticated remote attacker to gain full admin-level access to the device's web management interface.
Attackers can download system configuration files. These files contain sensitive information, including:
With tens of thousands of devices exposed (notably in the US and India), this presents a significant risk for large-scale automated exploitation.
Suggested Corrections:
Fortinet has released patches to address these flaws. Organizations using Fortinet products should take the following steps immediately:
Immediate Patching
Update affected products to the latest secure versions. The primary affected systems include:
Workarounds & Best Practices
If patching cannot be performed immediately:
https://bsky.app/profile/shadowserver.bsky.social/post/3madnyyaxbc2a
A critical authentication bypass vulnerability (tracked as CVE-2025-59718 and CVE-2025-59719) has been discovered affecting Fortinet devices with the FortiCloud SSO (Single Sign-On) feature enabled. The vulnerability stems from the "improper verification of cryptographic signature" within vulnerable Fortinet products. Attackers can bypass authentication by sending a maliciously crafted SAML message.
As of December 2024/2025, security watchdogs (like Shadowserver) have identified over 25,000 Fortinet devices exposed online that have this specific fingerprint. The vulnerability is being actively exploited in the wild, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog.
Security Officer Comments:
The impact of this vulnerability is critical because it grants attackers administrative control without requiring valid credentials. Exploitation allows an unauthenticated remote attacker to gain full admin-level access to the device's web management interface.
Attackers can download system configuration files. These files contain sensitive information, including:
- Hashed Passwords: Which can be cracked offline to gain further access.
- Network Topology: Details of the internal network layout.
- Firewall Policies: Revealing exactly how the organization’s perimeter is defended.
With tens of thousands of devices exposed (notably in the US and India), this presents a significant risk for large-scale automated exploitation.
Suggested Corrections:
Fortinet has released patches to address these flaws. Organizations using Fortinet products should take the following steps immediately:
Immediate Patching
Update affected products to the latest secure versions. The primary affected systems include:
- FortiOS
- FortiProxy
- FortiSwitchManager
- FortiWeb
Workarounds & Best Practices
If patching cannot be performed immediately:
- Disable FortiCloud SSO: If the feature is not essential for your operations, disable it to close the attack vector. (Note: The feature is usually only enabled once a device is registered with FortiCare).
- Restrict Management Access: * Disable Public GUI Access:Ensure the web management interface is not accessible from the public internet.
- Local Management Only: Configure the device to only allow management connections from specific, trusted IP addresses or via a secure VPN/Management VLAN.
- Monitor SAML Traffic: Monitor for unusual SAML login attempts or unexpected administrative logins from unknown IP addresses.
- Credential Rotation: If you suspect a device has been compromised, rotate all administrator credentials and secrets stored in the configuration files after the patch has been applied.
https://bsky.app/profile/shadowserver.bsky.social/post/3madnyyaxbc2a