216.73.216.86

Malicious SSO Logins Observed Following Disclosure of CVE-2025-59718 and CVE-2025-59719

· Published 15/12/2025 21:41 · Modified 21/12/2025 19:05

Export JSON

Essential information

Published
15/12/2025 21:41
Modified
21/12/2025 19:05
Tags
2025-12-15 CVE-2025-59718 CVE-2025-59719 authentication bypass firewall forticloud fortigate
Related entities
3 vulnerabilities (cve), 4 observables, 6 techniques (mitre)

Description

On December 12, 2025, intrusions involving malicious SSO logins on appliances were observed. These attacks followed Fortinet's disclosure of two critical vulnerabilities ( and ) on December 9. The vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages when SSO is enabled. Affected products include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Malicious logins originated from specific hosting providers, targeting admin accounts. Configuration exports to the same IP addresses were also noted. Recommendations include resetting credentials, limiting management interface access, upgrading to fixed versions, and disabling login if immediate upgrade is not possible.

External references