Act now! Attackers apparently bypass Fortinet security patch
According to media reports, a security patch for various Fortinet products is defective. However, admins can still protect instances.
(Image: Sashkin / Shutterstock.com)
There are currently indications that attackers are bypassing a recently released security update and attacking FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. The vulnerability is considered “critical”.
Ongoing attacks
The IT news website Bleepingcomputer reports on Fortinet customers whose Fortinet products are being successfully attacked by attackers despite the installed security patch. The vulnerability (CVE-2025-59718) has been known since December of last year. Security updates were also released at that time.
Since then, attacks have been ongoing, and attackers are actively exploiting the vulnerability. Afterward, they gain access to devices. The extent of the attacks is currently unclear. In a post, security researchers from Arctic Wolf list, among other things, parameters that admins can use to identify already attacked devices.
Videos by heise
However, instances are only vulnerable if authentication via SSO is active. This is not the case by default. Since Fortinet has not yet released a repaired security update at this time, admins must act now and disable login via SSO. This can be done via the command-line interface with the following commands:
config system global
set admin-forticloud-sso-login disable
end
Vulnerable instances in Germany
In a warning message, Fortinet lists further information on the affected products. FortiWeb 7.0 and 7.2 are reportedly not affected by the vulnerability. Security researchers from Shadowserver have scanned the internet for SSO instances. They currently count more than 11,000 worldwide. In Germany, there are just over 120 instances.
In addition, attackers are currently targeting FortiSIEM and exploiting a “critical” security vulnerability (CVE-2025-64155).
(des)
