A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device.
Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager. While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Pokémon hack exposes future games, beta designs and more
October 14, 2024
Pokémon developer Game Freak has confirmed its servers were hacked in August. The breach meant internal materials — from source codes to early and even scrapped character designs — were circulating on social media over the weekend. Leaked documents and images flooded Reddit and X after Centro Leaks began dumping it all on Saturday afternoon. It ...
- Over 77,000 customers’ personal information is exposed in Fidelity Investments data breach
October 12, 2024
Fidelity Investments reported in a filing with Maine’s attorney general that an unnamed third party accessed information from its systems using two recently established customer accounts. It did not say how the creation of two Fidelity customer accounts allowed access to the data of thousands of other customers. The breach occurred between Aug. 17 and 19 ...
- Critical Veeam Backup & Replication Vulnerability Under Active Exploitation
October 11, 2024
Security researchers have reported CVE-2024-40711 is under active exploitation by ransomware groups. These groups are reportedly exploiting CVE-2024-40711 as a second stage exploit to create new local Administrator accounts to facilitate further objectives on compromised networks. Reports warn of exploitation attempts since shortly after official disclosure by Veeam. Enterprise backup and disaster recovery applications are valuable ...
- CoreWarrior Spreader Malware Surge
October 11, 2024
This week, the SonicWall Capture Labs threat research team investigated a sample of CoreWarrior malware. This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring. Infection Cycle The malware ...
- Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
October 11, 2024
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of the investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day ...
- UNODC report exposes escalating threat of organized crime in the Pacific
October 11, 2024
The Pacific is increasingly becoming an important transshipment hub and an operational and destination point for organized crime syndicates, according to a new report launched today by the UN Office on Drugs and Crime (UNODC). Titled Transnational Organized Crime in the Pacific: Expansion, Challenges, and Impact, the report provides a detailed analysis of the rapidly evolving ...