Overview
A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.
While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out. This behavior significantly increases the likelihood of exposure across registered deployments. Arctic Wolf has confirmed active exploitation and CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.
Observed attacks show threat actors authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials. As a result, any organization with indicators of compromise must assume credential exposure and respond accordingly. A vendor patch is available, and organizations can also take immediate defensive action by disabling FortiCloud SSO administrative login while remediation efforts are underway.
Rapid7 observations
As of December 17, 2025, Rapid7 has observed CVE-2025-59718 exploitation attempts being performed against honeypots within its network. Furthermore, a proof-of-concept exploit that resembles the observed honeypot requests has been posted to GitHub. Rapid7 is in the process of validating these exploits against the confirmed vulnerable targets.
Mitigation guidance
On December 9th, 2025, Fortinet published an advisory that outlines remediation steps for CVE-2025-59718 and CVE-2025-59719. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed.
Fortinet’s advisory states that CVE-2025-59718 affects the following products and versions:
FortiOS
7.6 branch: versions 7.6.0 through 7.6.3 are affected, upgrade to 7.6.4 or above.
7.4 branch: versions 7.4.0 through 7.4.8 are affected, upgrade to 7.4.9 or above.
7.2 branch: versions 7.2.0 through 7.2.11 are affected, upgrade to 7.2.12 or above.
7.0 branch: versions 7.0.0 through 7.0.17 are affected, upgrade to 7.0.18 or above.
FortiProxy
7.6 branch: versions 7.6.0 through 7.6.3 are affected, upgrade to 7.6.4 or above.
7.4 branch: versions 7.4.0 through 7.4.10 are affected, upgrade to 7.4.11 or above.
7.2 branch: versions 7.2.0 through 7.2.14 are affected, upgrade to 7.2.15 or above.
7.0 branch: versions 7.0.0 through 7.0.21 are affected, upgrade to 7.0.22 or above.
FortiSwitchManager
7.2 branch: versions 7.2.0 through 7.2.6 are affected, upgrade to 7.2.7 or above.
7.0 branch: versions 7.0.0 through 7.0.5 are affected, upgrade to 7.0.6 or above.
Fortinet’s advisory states that CVE-2025-59719 affects the following product and versions:
FortiWeb
8.0 branch: version 8.0.0 is affected, upgrade to 8.0.1 or above.
7.6 branch: versions 7.6.0 through 7.6.4 are affected, upgrade to 7.6.5 or above.
7.4 branch: versions 7.4.0 through 7.4.9 are affected, upgrade to 7.4.10 or above.
For the latest mitigation guidance, please refer to the Fortinet security advisory.
Rapid7 customers
Exposure Command, InsightVM and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-59718 and CVE-2025-59719 with authenticated vulnerability checks available in the December 17 content release.
Updates
December 17, 2025: Initial publication.
December 17, 2025: Coverage updated.
