Two newly discovered vulnerabilities found in Fortinet's product portfolio have triggered a holiday alert for defenders after they were added to Fortinet's product portfolio. Known exploited vulnerabilities (KEV) directory this week maintained by the US National Cyber Agency.
The two vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, allow an attacker to bypass FortiCloud single sign-on (SSO) authentication via a malicious Security Assertion Markup Language (SAML) message. According to Fortinetthey are present in several versions of FortiOS, FortiWeb, FortiProxy and FortiSwitchManager.
It should be noted that although the affected feature is not enabled by default out of the box, it is automatically enabled if and when the device is registered with FortiCare Technical Services via the GUI, unless explicitly opted out by the customer administrator.
In a statement, the US Cybersecurity and Infrastructure Security Agency (CISA) said: “This type of vulnerability is a common attack vector for cyber adversaries and poses significant risks to the federal enterprise.”
Initially reported by Fortinet on December 9, multiple third parties are now reporting ongoing exploitation of vulnerabilities CVE-2025-59718 and CVE-2025-59719.
According to Rapid7 analysts – which intercepted multiple exploit attempts against their honeypots after the proof-of-concept exploit was published on GitHub, many of the observed attacks saw attackers authenticating themselves as an admin user and immediately downloading the target's system configuration file – these can often contain hashed credentials.
“As a result, any organization with indicators of compromise [IOCs] must accept the impact of the credentials and respond accordingly. A vendor patch is available, and organizations can also take immediate protective action by disabling administrative logins to FortiCloud SSO while remediation efforts are undertaken,” the Rapid7 team said.
Arctic Wolf researchers said that, in addition to applying available updates from Fortinet, organizations that find themselves affected should, as a precautionary measure, reset their firewall credentials on the basis that they may have been compromised and stolen, and limit access to firewall and virtual private network (VPN) devices to trusted internal users.
Because its products are deeply embedded in many networks, Fortinet is often targeted by attackers as an initial entry point into their victims' broader IT environments, so further attempts to address the latter pair of vulnerabilities are considered highly likely.
Christmas gifts
In addition to the Fortinet authentication bypass issues, CISA has added a few more high-profile flaws to the KEV catalog ahead of the holiday holidays.
These include CVE-2025-69374, an embedded malware vulnerability that emerged in ASUS Live Update after unauthorized modifications were made in a supply chain cyberattack.
Many Cisco products, including AsyncOS software, Cisco Secure Email Gateway and Secure Email, and Web Manager devices, are affected by an input validation vulnerability tracked as CVE-2025-20393, which could allow an attacker to execute arbitrary commands with root privileges.
Finally, SonicWall users should resolve CVE-2025-40602, a missing authorization issue that allows for privilege escalation in the SMA1000 Series Secure Access Gateway Appliance Management Console.
At the time of writing, none of the vulnerabilities listed above have been exploited in ransomware attacks.
