- Fortinet disclosed two critical vulnerabilities (CVE-2025-59718, CVE-2025-59719) across multiple products on December 9, 2025.
- The vulnerabilities allow unauthenticated adversaries bypass FortiCloud SSO login authentication. Multiple security firms indicate they’ve observed exploitation in the wild.
- VulnCheck’s research team has analyzed known public PoCs and determined they are fake or incomplete; defenders should avoid writing or alerting on detections for fake or non-functional PoCs that would not succeed in real-world attacks.
On December 9, 2025, Fortinet published a critical security advisory on two CVEs affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. CVE-2025-59718 and CVE-2025-59719 have identical descriptions and affected products; the vulnerabilities arise from an improper verification of cryptographic signature issue that allows unauthenticated attackers to bypass FortiCloud SSO login authentication “via a crafted SAML message,” if FortiCloud SSO login is enabled on the device.
Per the vendor advisory:
> Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch “Allow administrative login using FortiCloud SSO” in the registration page, FortiCloud SSO login is enabled upon registration.
Both vulnerabilities were discovered internally at Fortinet and were not (to our current knowledge) exploited in the wild at time of disclosure.
Security firms Arctic Wolf and Huntress have both indicated they’ve observed malicious activity related to these issues; Arctic Wolf said they began seeing “malicious SSO logins on Fortigate appliances” on December 12, three days after the CVEs were disclosed. Huntress also noted specific post-exploitation behavior, namely that adversaries are dumping exploited device configurations after bypassing SSO authentication. Both vulnerabilities were added to VulnCheck KEV as of December 15, based on the Arctic Wolf report. CISA added CVE-2025-59718 (but not the second CVE) to their KEV on December 16.
Based on our team’s analysis, the two public PoCs for CVE-2025-59718 (as of December 18) are fake or otherwise incomplete. Neither was functional in testing across a range of affected products and configurations. As of 8 AM EST on December 18, we’re not aware of any valid public PoCs for either vulnerability.
We’ve observed a relatively high degree of chatter across social media platforms and industry groups about exploitation of one or both CVEs. At least a subset of these claims, however, appears to be based on detections of non-functional PoCs, meaning that those attacks would not succeed in a real-world environment. Threat research and security teams should avoid relying on detections written against known-fake or otherwise invalid PoCs.
Our team also developed targeted ASM queries for Initial Access Intelligence customers that look for the FortiCloud SSO login button on the system’s login page — a UI button that’s present only if the FortiCloud SSO feature is enabled as a login option. In our testing, the button disappeared once the feature was disabled. Interestingly, exposure results using this method are extremely low (under 100 at most), and in Shodan’s case absent altogether.
A full list of affected products and versions is available in the vendor advisory. Organizations should disable the FortiCloud login feature until they are able to update to a fixed version and look for unexpected logins, particularly for the admin user. Updating to a fixed version, of course, does not eradicate threat actors from compromised environments.
The VulnCheck research team is always looking for new vulnerabilities to analyze and curate. For more research like this check out our blogs Frost Checks First: Selective Exploitation, Reacting to Shells: React2Shell Variants and the CVE-2025-55182 Exploit Ecosystem, and Fortinet FortiWeb Exploitation Hits Silently Patched Vulnerability.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.
