Overview
- Attackers began abusing CVE-2025-59718 and CVE-2025-59719 on December 12 to gain admin access on FortiGate and related appliances and to export configuration files.
- CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog and ordered U.S. federal civilian agencies to remediate by December 23.
- The flaws stem from improper cryptographic signature verification in SAML handling and affect FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb when FortiCloud SSO is enabled.
- Arctic Wolf observed logins targeting the admin account and configuration downloads routed to IPs tied to providers including The Constant Company, BL Networks, and Kaopu Cloud HK.
- Fortinet released patches on December 9 and advises disabling FortiCloud SSO until updated, while responders urge checking for IOCs, rotating firewall credentials, and restricting management access; Rapid7 reported honeypot hits after a public proof-of-concept appeared on GitHub.