top of page
perceptive_background_267k.jpg

Over 25,000 FortiCloud SSO devices exposed to remote attacks

Published:

19 december 2025 om 15:00:45

Alert date:

19 december 2025 om 15:02:36

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Identity & Access, Zero-Day Vulnerabilities

Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online and vulnerable to remote attacks. The exposure comes amid ongoing attacks targeting a critical authentication bypass vulnerability in Fortinet systems. Internet security watchdog Shadowserver discovered these vulnerable devices, highlighting the significant security risk to organizations using FortiCloud SSO authentication. The vulnerability allows attackers to bypass authentication mechanisms and potentially gain unauthorized access to affected systems. This represents a large-scale exposure of enterprise authentication infrastructure.

Technical details

The vulnerability exploits improper verification of cryptographic signature weaknesses in FortiCloud SSO via maliciously crafted SAML messages. Attackers can gain admin-level access to web management interfaces and download system configuration files containing potentially vulnerable interfaces, hashed passwords, internet-facing services, network layouts, and firewall policies. The FortiCloud SSO feature is enabled when devices are registered with FortiCare support service. Over 25,000 IP addresses with FortiCloud SSO fingerprint have been identified, with over 5,400 in the US and nearly 2,000 in India.

Mitigation steps:

Apply patches released by Fortinet on December 9th for CVE-2025-59718 and CVE-2025-59719. US government agencies must patch by December 23rd per CISA's Binding Operational Directive 22-01. Organizations should secure admin interfaces from public internet access and monitor for unauthorized SSO login attempts.

Affected products:

FortiOS
FortiProxy
FortiSwitchManager
FortiWeb

Related links:

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/
https://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/
https://bsky.app/profile/shadowserver.bsky.social/post/3madnyyaxbc2a
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=fortinet&model=forticloud+sso&dataset=count&limit=100&group_by=geo&stacking=stacked
https://x.com/nekono_naha/status/2000956445605683273
https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-59718
https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities
http://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities
https://www.bleepingcomputer.com/news/security/chinese-hackers-hid-in-us-infrastructure-network-for-5-years/
https://www.bleepingcomputer.com/news/security/chinese-hackers-infect-dutch-military-network-with-malware/
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/
https://www.bleepingcomputer.com/news/security/fortinet-confirms-silent-patch-for-fortiweb-zero-day-exploited-in-attacks/
https://x.com/CERTCyberdef/status/1989311517611733454

Related CVE's:

Related threat actors:

IOC's:

Maliciously crafted SAML messages, FortiCloud SSO fingerprint on exposed devices, Coathanger remote access trojan (RAT) malware

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page