Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 exploited in the wild

Dec 17 2025

Overview

A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.

While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out. This behavior significantly increases the likelihood of exposure across registered deployments. Arctic Wolf has confirmed active exploitation and CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.

Observed attacks show threat actors authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials. As a result, any organization with indicators of compromise must assume credential exposure and respond accordingly. A vendor patch is available, and organizations can also take immediate defensive action by disabling FortiCloud SSO administrative login while remediation efforts are underway.

Rapid7 observations

As of December 17, 2025, Rapid7 has observed CVE-2025-59718 exploitation attempts being performed against honeypots within its network. Furthermore, a proof-of-concept exploit that resembles the observed honeypot requests has been posted to GitHub. Rapid7 is in the process of validating these exploits against the confirmed vulnerable targets.

Mitigation guidance

On December 9th, 2025, Fortinet published an advisory that outlines remediation steps for CVE-2025-59718 and CVE-2025-59719. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed.

Fortinet’s advisory states that CVE-2025-59718 affects the following products and versions:

  • FortiOS

    • 7.6 branch: versions 7.6.0 through 7.6.3 are affected, upgrade to 7.6.4 or above.

    • 7.4 branch: versions 7.4.0 through 7.4.8 are affected, upgrade to 7.4.9 or above.

    • 7.2 branch: versions 7.2.0 through 7.2.11 are affected, upgrade to 7.2.12 or above.

    • 7.0 branch: versions 7.0.0 through 7.0.17 are affected, upgrade to 7.0.18 or above.

  • FortiProxy

    • 7.6 branch: versions 7.6.0 through 7.6.3 are affected, upgrade to 7.6.4 or above.

    • 7.4 branch: versions 7.4.0 through 7.4.10 are affected, upgrade to 7.4.11 or above.

    • 7.2 branch: versions 7.2.0 through 7.2.14 are affected, upgrade to 7.2.15 or above.

    • 7.0 branch: versions 7.0.0 through 7.0.21 are affected, upgrade to 7.0.22 or above.

  • FortiSwitchManager

    • 7.2 branch: versions 7.2.0 through 7.2.6 are affected, upgrade to 7.2.7 or above.

    • 7.0 branch: versions 7.0.0 through 7.0.5 are affected, upgrade to 7.0.6 or above.

Fortinet’s advisory states that CVE-2025-59719 affects the following product and versions:

  • FortiWeb

    • 8.0 branch: version 8.0.0 is affected, upgrade to 8.0.1 or above.

    • 7.6 branch: versions 7.6.0 through 7.6.4 are affected, upgrade to 7.6.5 or above.

    • 7.4 branch: versions 7.4.0 through 7.4.9 are affected, upgrade to 7.4.10 or above.

For the latest mitigation guidance, please refer to the Fortinet security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-59718 and CVE-2025-59719 with authenticated vulnerability checks available in the December 17 content release.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-59718 and CVE-2025-59719, including indicators of compromise (IOCs).

Updates

  • December 17, 2025: Initial publication.

  • December 17, 2025: Coverage updated.

  • December 18, 2025: Added Intelligence Hub section.

Read more

  • Emergent Threat Response

Recommended Jobs

Senior Product Manager - AI & Data

V celnici 1031/4, Prague, Czechia, 110 00 Product & Engineering
As a Senior Product Manager for Rapid7’s AI & Data Platform, you will define and execute the strategy for how AI and data power the unified experiences of Rapid7’s Command Platform. You’ll lead cross-functional efforts to build the foundational AI...

Senior Software Engineer

Mikonis St., Tel Aviv, Israel, 6777214 Product & Engineering
As a Senior Software Engineer within our Phishing team, your technical expertise will directly contribute to securing organizations against prevalent cyber threats. If you thrive on deep technical challenges and want to leverage state-of-the-art, ...

Vulnerability Intelligence Program Coordinator

V celnici 1031/4, Prague, Czechia, 110 00. 19 Chichester St, City Centre, Belfast, United Kingdom, BT1 4JB Program Management - Technical
About the Team Rapid7’s Vulnerability Intelligence team leads industry research to uncover and prioritize risks for organizations worldwide. Our researchers discover and disclose zero-day vulnerabilities, analyze n-day vulnerabilities, develop Met...

Channel Account Manager

Remote Location, Netherlands, 1015 NI Sales & BD
We are looking for a motivated and tenacious individual to join our Channel Account team, responsible for growing the Rapid7 brand and presence within the Benelux region. This is an exciting opportunity for someone to help us develop the Channel ...

Field CISO

Remote Location, Germany, 47929 Sales Engineering
We are looking for a Field CISO for Central EMEA with a primary focus on business and market development. This position will play a pivotal role in continuing to scale and grow our Central EMEA region as well as supporting and developing our Enter...

Senior Cybersecurity Advisor

Level 21, Melbourne, Australia, 3000 Security Services
Rapid7 Cybersecurity Advisors partner with our customers above and beyond the tactical aspects of vulnerability management, application security, and threat detection and incident response. You will work with your customers to increase their resil...

Search All Jobs