**Over 25,000 FortiCloud SSO Devices Exposed to Remote Attacks**

As the cybersecurity landscape continues to evolve, threat actors have found a new vulnerability to exploit – the recently patched FortiCloud SSO login feature in over 25,000 devices. According to internet security watchdog Shadowserver, these devices are exposed online with FortiCloud SSO enabled, making them susceptible to remote attacks.

The vulnerability, tracked as CVE-2025-59718 and CVE-2025-59719, was patched by Fortinet on December 9th. However, despite the patch, many administrators have not taken necessary precautions to secure their devices. The SSO login feature is only enabled after registering the device with FortiCare support service, leaving a window of opportunity for attackers to exploit.

Threat actors are actively exploiting this vulnerability by sending maliciously crafted SAML messages to gain admin-level access to web management interfaces and download sensitive system configuration files. These files contain valuable information such as firewall policies, network layouts, and hashed passwords that can be cracked by attackers.

Shadowserver's scans have identified over 25,000 IP addresses with a FortiCloud SSO fingerprint, with the majority located in the United States (over 5,400) and India (nearly 2,000). However, it is unclear how many of these devices have been secured against attacks exploiting the vulnerability.

Macnica threat researcher Yutaka Sejiyama has also reported that his scans returned over 30,000 Fortinet devices with FortiCloud SSO enabled, exposing vulnerable web management interfaces to the internet. "Given how frequently FortiOS admin GUI vulnerabilities have been exploited in the past, it is surprising that this many admin interfaces remain publicly accessible," Sejiyama said.

The U.S. government has taken notice of this vulnerability and has ordered all federal agencies to patch within a week (by December 23rd) as mandated by the Binding Operational Directive 22-01. This directive adds to the growing list of Fortinet security flaws that have been exploited by cyber-espionage, cybercrime, or ransomware groups.

Fortinet has been plagued by frequent zero-day vulnerabilities in recent months. In November, they warned of a FortiWeb zero-day being exploited in the wild, just one week after silently patching another FortiWeb zero-day that was abused in widespread attacks. The notorious Chinese Volt Typhoon hacking group also exploited two FortiOS SSL VPN flaws to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware.

As the cybersecurity landscape continues to evolve, it is essential for organizations to prioritize security and take necessary precautions to prevent such vulnerabilities. With over 25,000 devices exposed to remote attacks, it's crucial for administrators to register their devices with FortiCare support service and patch the vulnerability as soon as possible.

**Related Stories:**

* **Hackers exploit newly patched Fortinet auth bypass flaws** * **Fortinet warns of critical FortiCloud SSO login auth bypass flaws** * **CISA gives govt agencies 7 days to patch new Fortinet flaw** * **Fortinet warns of new FortiWeb zero-day exploited in attacks**

**Break down IAM silos like Bitpanda, KnowBe4, and PathAI**

Broken IAM isn't just an IT problem - the impact ripples across your whole business. This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Note: The article has been reformatted into paragraphs for better readability and includes hyperlinks to related stories for added context.