Fortinet heeft kwetsbaarheden verholpen in FortiOS, FortiProxy, FortiWeb en FortiSwitchManager. De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat…

Published:

23 januari 2026 om 13:20:09

Alert date:

16 december 2025 om 14:58:30

Source:

ncsc.nl

Network Infrastructure, Security Tools, Identity & Access

Fortinet addressed multiple vulnerabilities in FortiOS, FortiProxy, FortiWeb and FortiSwitchManager allowing unauthenticated attackers to bypass FortiCloud SSO authentication via crafted SAML messages, maintain active SSLVPN sessions despite password changes, and execute unauthorized operations via forged HTTP/HTTPS requests. CVE-2025-59718 and CVE-2025-59719 are actively exploited for SSO bypass attacks. Initial updates proved insufficient as attacks continued on patched systems. Both Fortinet and ArcticWolf have released IoCs and additional mitigation measures.

Technical details

Multiple vulnerabilities in Fortinet products allow unauthenticated attackers to gain system access through various techniques including bypassing FortiCloud SSO login authentication via specially crafted SAML messages, maintaining active SSLVPN sessions despite password changes, and executing unauthorized operations via forged HTTP or HTTPS requests. This can lead to unauthorized access to sensitive API data and other network resources. Researchers report active exploitation of CVE-2025-59718 and CVE-59719 vulnerabilities that allow attackers to bypass Single Sign On authentication.

Mitigation steps:

Apply Fortinet updates immediately if not already done. As mitigation measure, disable FortiCloud SSO login to prevent authentication bypass. Implement mitigating measures and use published IoCs to investigate potential abuse. Rotate administrator account passwords based on investigation results. Consider closing open administrator sessions after deploying updates. Investigate systems using provided IoCs for signs of compromise.

Affected products:

FortiOS
FortiProxy
FortiWeb
FortiSwitchManager