Overview
Update for CVE-2026-24858: On January 27, 2026, Fortinet disclosed CVE-2026-24858, a critical unauthenticated vulnerability allowing authentication bypass via Fortinet’s cloud SSO. Confirmed as a net-new vulnerability rather than a patch bypass, it has been observed under active zero-day exploitation. The issue affects FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. However, because Fortinet has deployed a fix to the cloud environment, a client-side patch is not required to prevent exploitation. Please refer to the ‘Mitigation guidance’ section for further details.
A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.
While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out. This behavior significantly increases the likelihood of exposure across registered deployments. Arctic Wolf has confirmed active exploitation and CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.
Observed attacks show threat actors authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials. As a result, any organization with indicators of compromise must assume credential exposure and respond accordingly.
Rapid7 observations
Rapid7 initially observed CVE-2025-59718 exploitation attempts against honeypots on December 17, 2025, alongside a proof-of-concept exploit on GitHub resembling those requests. Update as of January 16, 2026, Rapid7 has identified threat actors actively exploiting authentication bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 on vulnerable FortiGate devices exposed to the public internet.
Mitigation guidance
-
CVE-2025-59718 and CVE-2025-59719:
-
Fortinet has published an advisory that lists fixed versions for CVE-2025-59718 and CVE-2025-59719.
-
CVE-2026-24858:
-
According to Fortinet’s advisory, a patch deployed to their own FortiCloud SSO infrastructure on January 26, 2026 has remediated the vulnerability. However, patched software is available for customers, since the cloud-side fix introduces breaking changes to the FortiCloud SSO login protocol. Because of this, fixed versions are listed, along with IoCs from exploitation in the wild.
-
Per Fortinet, FortiAnalyzer, FortiManager, FortiOS, and FortiProxy are confirmed to be affected, and a vendor investigation is ongoing (as of January 27, 2026) to determine if FortiWeb and FortiSwitchManager are affected.
-
For the latest information, please refer to the official Fortinet advisory for CVE-2026-24858.
Rapid7 customers
Exposure Command, InsightVM and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-59718 and CVE-2025-59719 with authenticated vulnerability checks available in the December 17 content release.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-59718 and CVE-2025-59719, including indicators of compromise (IOCs).
Updates
-
December 17, 2025: Initial publication.
-
December 17, 2025: Coverage updated.
- December 18, 2025: Added Intelligence Hub section.
- January 16, 2026: Active exploitation observed.
-
January 26, 2026: Added information about the January, 2026 advisory blog post and the new recommended mitigation steps.
-
January 27, 2026: Added information about CVE-2026-24858.
