A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device.
Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager. While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Update now! Microsoft patches 3 actively exploited zero-days
November 15, 2023
Another important update round for this month’s Patch Tuesday. Microsoft has patched a total of 63 vulnerabilities in its operating systems. Five of these vulnerabilities qualify as zero-days, with three listed as being actively exploited. Microsoft considers a vulnerability to be a zero-day if it is publicly disclosed or actively exploited with no official fix available. ...
- Executing from Memory Using ActiveMQ CVE-2023-46604
November 15, 2023
Huntress Labs, Rapid7, and ArticWolf all recently published reports of threat actors exploiting ActiveMQ CVE-2023-46604 to drop ransomware onto the victim host. The attackers used CVE-2023-46604 to invoke cmd.exe followed by curl.exe or msiexec.exe in order to download and execute their ransomware. The attackers were very obvious and caught the aforementioned companies’ attention, all of which ...
- #StopRansomware: Rhysida Ransomware
November 15, 2023
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the MultiState Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida – an emerging ransomware variant – has predominately been deployed against the education, ...
- Over two million users hit by top US pharmacy provider data breach
November 15, 2023
Truepill, formerly known as Postmeds, suffered a data breach that resulted in sensitive data on more than 2.3 million patients being stolen. The US Department of Health and Human Services Office for Civil Rights breach portal listed Truepill (or rather Postmeds) as being under investigation for a data breach that affected a total of 2,364,359 people. Read ...
- Credit card skimming on the rise for the holiday shopping season
November 14, 2023
As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft. One particular threat Malwarebytes Labs researchers are following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not ...
- TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities
November 14, 2023
In mid-2023, Proofpoint researchers first identified TA402 (Molerats, Gaza Cybergang, Frankenstein, WIRTE) activity using a labyrinthine infection chain to target Middle Eastern governments with a new initial access downloader Proofpoint has dubbed IronWind. From July through October 2023, TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant ...