Hackers are exploiting two critical security vulnerabilities (CVSS v3 9.8) in Fortinet’s networking software to gain administrative rights and download system configuration files.
CVE-2025-59718 is a FortiCloud Single Sign-On (SSO) authentication bypass vulnerability stemming from improper verification of the cryptographic signature. It affects numerous versions of FortiOS, FortiProxy, and FortiSwitchManager.
CVE-2025-59719 is also a FortiWeb SSO authentication bypass vulnerability, which affects FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, and FortiWeb versions 7.4.0 through 7.4.9.
Hackers exploit Fortinet’s critical security vulnerabilities, CVE-2025-59718 and CVE-2025-59719.
According to Minnesota-based cybersecurity firm Arctic Wolf, threat actors have been exploiting Fortinet’s critical vulnerabilities CVE-2025-59718 and CVE-2025-59719 since December 12, 2025.
They targeted organizations with FortiCloud SSO enabled to compromise admin accounts and download configuration files. Although the feature is turned off by default, registering devices via the FortiCare management interface automatically activates it.
“Please note that the FortiCloud SSO login feature is not enabled in default factory settings,” Fortinet stated. “However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch ‘Allow administrative login using FortiCloud SSO’ in the registration page, FortiCloud SSO login is enabled upon registration.”
Upon gaining access to the web management interface, the attackers downloaded the device configuration files, exposing the host network to various forms of cyberattacks.
Features exposed via compromised Fortinet configuration files include the entire network map, routing tables, firewall rules, hashed passwords, exposed internet services, and various interfaces.
Meanwhile, Fortinet recommends deactivating the FortiCloud SSO feature by setting the “Allow administrative login using FortiCloud SSO” = Off until a permanent security fix becomes available.
Similarly, system administrators who suspect their organizations have been compromised should rotate their Fortinet login credentials to terminate the threat actor’s access.
Restricting network access to only whitelisted IP addresses should also prevent threat actors from remotely accessing compromised devices.
So far, the identities of the threat actors exploiting Fortinet’s critical security vulnerabilities remain unclear. However, state-sponsored Chinese hackers have exploited the networking security software giant’s systems to compromise various organizations for cyberespionage.
Fortinet has a history of exploitation.
Hackers have previously exploited Fortinet’s security vulnerabilities to compromise numerous organizations, including government agencies.
In February 2025, state-sponsored Chinese hackers Volt Typhoon exploited Fortinet’s critical security vulnerabilities (CVSS v3 9.8) CVE-2023-27997 and CVE-2022-42475 to compromise the Dutch Ministry of Defence. They used the access to drop the Coathanger remote access trojan (RAT) to maintain persistence.
In August, threat actors also exploited the critical vulnerability CVE-2025-25256 in Fortinet SSL VPNs to execute brute-force attacks against various organizations.
In November 2024, Fortinet released security updates for the high-severity OS Command Injection vulnerability CVE-2025-58034. The security flaw enabled an unauthenticated attacker to execute unauthorized code via specially crafted HTTP requests or the command-line interface (CLI).
Fortinet also patched the medium-severity unverified password change security vulnerability in Fortinet FortiSOAR PaaS. The security flaw could enable a threat actor to reset the victim’s login credentials without confirming the current password. In September 2024, Fortinet confirmed a “limited data breach” after a threat actor, “Fortibitch,” leaked 440 GB of data stolen from its Azure SharePoint instance, affecting about 0.3% of its customers.
