**U.S. CISA Adds Critical Flaw in Multiple Fortinet Products to Its Known Exploited Vulnerabilities Catalog**

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability impacting multiple products from Fortinet to its Known Exploited Vulnerabilities (KEV) catalog.

The flaw, tracked as CVE-2025-59718 (CVSS Score of 9.1), is an improper verification of cryptographic signature issue that allows an unauthenticated attacker to bypass FortiCloud SSO login using a crafted SAML message if the feature is enabled.

Fortinet addressed 18 vulnerabilities last week, including the two critical flaws CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.1), affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled.

An improper signature-verification flaw in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager lets an unauthenticated attacker bypass FortiCloud SSO login using a crafted SAML message if the feature is enabled. FortiCloud SSO is disabled by default but activates automatically during FortiCare registration unless the admin disables the "Allow administrative login using FortiCloud SSO" toggle.

"Please note that the FortiCloud SSO login feature is not enabled in default factory settings," reads the advisory. "However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration."

The vendor recommends disabling the FortiCloud login feature (if enabled) until upgrading to a non-affected version as a temporary mitigation.

**Arctic Wolf Researchers Observe Attacks Exploiting Critical Fortinet Authentication Bypass Flaws**

Arctic Wolf researchers observed attackers began exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued.

The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers. After gaining access, the attackers exported device configurations via the GUI, which include hashed credentials that threat actors can attempt to crack offline, increasing the risk of further compromise.

"In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances," reads the report. "Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter."

The experts reported that recent intrusions involved malicious SSO logins to FortiGate devices originating from a small set of hosting providers. Attackers primarily targeted the admin account, successfully authenticating via SSO from specific IP addresses.

**CISA Orders Federal Agencies to Fix Vulnerabilities by December 23**

CISA orders federal agencies to fix the vulnerabilities by December 23, 2025. Private organizations are also urged to review the Catalog and address the vulnerabilities in their infrastructure.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

**Recommendations**

Administrators are urged to check for signs of compromise, reset credentials if needed, and restrict firewall management access to trusted networks. Fortinet has released patches across multiple FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb versions, and advises disabling FortiCloud SSO admin login to mitigate exploitation risks.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. Follow me on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)