THREAT ALERT
Tuesday, December 16th, 2025
We are following reports indicating that CVE(s) (CVE-2025-59718 CVE-2025-59719) addressed in Fortinet PSIRT advisory FG-IR-25-647 are being actively exploited.
DefenseStorm is following reports indicating that CVE(s) (CVE-2025-59718 CVE-2025-59719) addressed in Fortinet PSIRT advisory FG-IR-25-647 are being actively exploited in the wild. Organizations using affected Fortinet and/or FortiCloud products should review this advisory.Please see the information below taken directly from Fortiguard Labs from here: https://fortiguard.fortinet.com/psirt/FG-IR-25-647
Summary
An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device.
Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch “Allow administrative login using FortiCloud SSO” in the registration page, FortiCloud SSO login is enabled upon registration.
To prevent being affected by this vulnerability on vulnerable
versions, please turn off the FortiCloud login feature (if enabled) temporarily until upgrading to a non-affected version.
To turn off FortiCloud login, go to System -> Settings -> Switch
“Allow administrative login using FortiCloud SSO” to Off. Or type the following command in the CLI:
config system global
set admin-forticloud-sso-login disable
end
(Image obtained from https://fortiguard.fortinet.com/psirt/FG-IR-25-647)
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
We strongly recommend that customers review Fortinet’s remediation and mitigation guidance in detail and assess their exposure to see if any impacted products are in use within their environment. As with all vendor advisories, organizations should follow their internal change control and patch management processes when applying updates or configuration changes.
Customers are encouraged to bookmark the Fortinet advisory page and monitor it for updates, as additional details, mitigations, or indicators may be released as the situation evolves.
Our team(s) has identified several indicators of compromise (IOCs) associated with this activity. These IOCs have been incorporated into our ThreatMatch feed to support detection and monitoring efforts.
References
https://fortiguard.fortinet.com/psirt/FG-IR-25-647
James Bruhl
Director of Cyber Threat Intelligence
James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.
