**FortiCloud SSO Exposure: 25,000 Devices Vulnerable and Cyber Attacks Active**

The security landscape has taken a worrying turn with the discovery of a critical vulnerability in FortiCloud's Single Sign-On (SSO) system, leaving over 25,000 devices open to potential compromise. The flaw, which allows hackers to bypass authentication and seize control of administrative accounts, is already being actively exploited by malicious actors.

According to a report from Shadowserver, an online safety monitor, more than 25,000 Fortinet units are accessible on the web with FortiCloud SSO turned on. This staggering number highlights the urgent risk to networks using the vulnerable feature and underscores the need for organisations to take immediate action to patch their systems or disable the feature altogether.

The vulnerability, identified as CVE-2025-59718 and CVE-2025-59719, was patched by Fortinet on December 9. However, despite these efforts, hackers have been found to be actively exploiting the flaw just three days later, with reports emerging of likely exploitation affecting FortiOS 7.x/Forti* admin GUIs when FortiCloud SSO is enabled.

Arctic Wolf's report on December 12 sheds more light on the issue, stating that hackers are using fraudulent single sign-on (SSO) credentials to gain access to administrative accounts. This has raised concerns among security experts, who warn that the vulnerability could be used to steal system setup data, including exposed management portals, scrambled passwords, and internal network maps.

With over 25,000 IP addresses linked to FortiCloud SSO being monitored by Shadowserver, it is unclear how many of these systems have been patched to defend against attacks targeting the CVE-2025-59718 and CVE-2025-59719 flaws. Yutaka Sejiyama, a threat researcher at Macnica, has also reported finding more than 30,000 Fortinet units with FortiCloud SSO active, leaving their at-risk web management portals open to the public internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the FortiCloud SSO authentication bypass flaw to its list of actively exploited vulnerabilities. Under the Binding Operational Directive 22-01, the agency ordered U.S. government departments to apply patches within one week, setting a deadline of December 23.

The recent flaws in FortiCloud's SSO system are not an isolated incident. Recent security weaknesses in Fortinet systems have been a frequent target for espionage, digital crime, and ransomware groups, who often use 'zero-day' exploits to strike before a fix is available. In February, Fortinet revealed that the Chinese hacking collective Volt Typhoon exploited two security gaps in FortiOS SSL VPN, establishing a backdoor into a Dutch Ministry of Defence network using a custom remote access trojan (RAT) known as 'Coathanger.'

Fortinet's cautionary statements on vulnerabilities in their systems are a stark reminder of the importance of prioritising security and patching vulnerabilities before they can be exploited by malicious actors. With over 25,000 devices at risk, organisations must take immediate action to protect themselves from this potential cyber threat.

**Key Statistics:**

* Over 25,000 Fortinet units accessible on the web with FortiCloud SSO turned on * More than 5,400 systems located in the United States and nearly 2,000 in India * Shadowserver monitoring over 25,000 IP addresses linked to FortiCloud SSO * 30,044 Fortinet units worldwide have FortiCloud SSO enabled * CISA added FortiCloud SSO authentication bypass flaw to its list of actively exploited vulnerabilities

**Recommendations:**

* Patch systems immediately or disable FortiCloud SSO feature altogether * Verify and update systems regularly to ensure vulnerability patches are applied * Implement robust security measures, including firewalls and intrusion detection systems, to prevent potential attacks