Hackers are exploiting critical-severity vulnerabilities in multiple Fortinet products, allowing unauthorized access to admin accounts and stealing system configuration files. The two main issues affect FortiOS, FortiProxy, and FortiSwitchManager.
Two vulnerabilities, CVE-2025-59718 and CVE-2025-59719, were reported by Fortinet on December 9, warning of potential exploitation. Both are related to authentication bypass in FortiCloud SSO, a feature that enables single sign-on logins for administrators. However, it’s essential to note that this feature is not enabled by default and can be automatically activated if devices are registered through the FortiCare user interface.
Researchers at Arctic Wolf observed attacks starting on December 12, originating from several IP addresses linked to The Constant Company, BL Networks, and Kaopu Cloud HK. These hackers targeted admin accounts using malicious single sign-on logins, gaining access to the web management interface and downloading configuration files.
Configuration files can reveal sensitive information about network layouts, internet-facing services, firewall policies, and potentially vulnerable interfaces. The exfiltration of these files suggests that this is not a legitimate security testing operation but rather part of a malicious attack.
To prevent attacks, Fortinet recommends disabling the FortiCloud login feature until an upgrade to a safer version is possible. System administrators are advised to move to one of the recommended versions:
– FortiOS 7.6.4+, 7.4.9+, 7.2.12+, and 7.0.18+
– FortiProxy 7.6.4+, 7.4.11+, 7.2.15+, and 7.0.22+
– FortiSwitchManager 7.2.7+, 7.0.6+
– FortiWeb 8.0.1+, 7.6.5+, 7.4.10+
It is also recommended to limit firewall/VPN management access to trusted internal networks only and rotate firewall credentials as soon as possible if any signs of compromise are discovered.
Fortinet’s vulnerability highlights the importance of keeping security measures up-to-date, especially for organizations using their products.
Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws