A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device.
Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager. While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Pentagon leaker Jack Teixeira sentenced to 15 years in prison
November 12, 2024
Jack Teixeira, a member of the Massachusetts National Guard, has been jailed for 15 years for leaking classified documents about the war in Ukraine and other military secrets. A federal judge in Boston, United States, on Tuesday sentenced the 22-year-old after he pleaded guilty earlier this year to six counts of wilful retention and transmission of ...
- Hot Topic data breach thought to have hit nearly 54 million customers
November 12, 2024
Breach notification site Have I Been Pwned has confirmed the personal data of 56,904,909 users was found online, leaked from Hot Topic, Torrid, and Box Lunch customers. Threat actor ‘Satanic’ claimed responsibility for the breach, which was allegedly carried out through an infostealer infection, and made possible by weak security practices. The dataset is reportedly on ...
- Ymir: new stealthy ransomware in the wild
November 11, 2024
In a recent incident response case, Kaspersky researchers discovered a new and notable ransomware family in active use by the attackers, which they named “Ymir”. The artifact has interesting features for evading detection, including a large set of operations performed in memory with the help of the malloc, memmove and memcmp function calls. In the case ...
- TikTok ordered to close Canada offices following “national security review”
November 8, 2024
The Government of Canada ordered the TikTok Technology Canada Inc. to close its offices in the country following a national security review. This decision was made in accordance with the Investment Canada Act, which allows for the review of foreign investments that may be injurious to Canada’s national security. Canada’s Minister of Innovation, Science and Industry ...
- Hello again, FakeBat: popular loader returns after months-long hiatus
November 8, 2024
The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While Malwarebytes Labs noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods. After months of ...
- QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns
November 8, 2024
In 2021, Kaspersky researchers began to investigate an attack on the telecom industry in South Asia. During the investigation, they discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory. The framework includes a Loader, a Core module, a Network module, a Command Shell module and a File Manager module. It ...