Over 25,000 FortiCloud SSO devices exposed to remote attacks: A critical security vulnerability has been uncovered, leaving over 25,000 Fortinet devices vulnerable to remote attacks. The issue stems from a critical authentication bypass flaw in the FortiCloud Single Sign-On (SSO) feature, which is exploited by malicious actors to compromise admin accounts. This vulnerability, tracked as CVE-2025-59718 and CVE-2025-59719, affects FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. The affected devices are exposed online, and the vulnerability is actively being exploited to gain unauthorized access to the web management interface and download sensitive system configuration files. These files contain hashed passwords, internet-facing services, network layouts, and firewall policies, all of which are potential targets for attackers. The severity of this issue is highlighted by the fact that it has been added to the CISA's catalog of actively exploited vulnerabilities, with U.S. government agencies mandated to patch within a week. This vulnerability is not isolated; Fortinet has a history of being targeted by cyber-espionage, cybercrime, and ransomware groups, often exploiting zero-day vulnerabilities. For instance, the Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws to backdoor a Dutch Ministry of Defence military network. Additionally, Fortinet has recently warned of a FortiWeb zero-day vulnerability being exploited in the wild, just one week after confirming a silent patch for another FortiWeb zero-day. The impact of this security flaw extends beyond IT, affecting the entire business. To address this, organizations should consider breaking down IAM silos and implementing robust IAM practices to ensure comprehensive security.
