A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device.
Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager. While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Chinese hackers Deep Panda return with Log4Shell exploits, new Fire Chili rootkit
April 1, 2022
Deep Panda has launched new attacks this month that exploit Log4Shell to deploy the new Fire Chili rootkit. Deep Panda is a Chinese advanced persistent threat (APT) hacking group that has been active for at least a decade. The APT targets government, defense, healthcare, telecoms, and financial organizations, to name a few, for purposes including data ...
- Zyxel urges customers to patch critical firewall bypass vulnerability
April 1, 2022
Zyxel is urging customers to immediately patch a critical vulnerability in the vendor’s firewall software. In a security advisory published this week, the Taiwanese networking giant said the security flaw can lead to the circumvention of firewall protection in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG product lines. Tracked as CVE-2022-0342 and issued a critical severity ...
- Modem-wiping malware caused Viasat satellite broadband outage in Europe
April 1, 2022
Tens of thousands of Viasat satellite broadband modems that were disabled in a cyber-attack some weeks ago were wiped by malware with possible links to Russia’s destructive VPNFilter, according to SentinelOne. On February 24, as Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were suddenly and unexpectedly knocked offline and rendered inoperable. This caused, ...
- Lazarus Trojanized DeFi app for delivering malware
March 31, 2022
For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving. We recently discovered a ...
- Meet BlackGuard: a new infostealer peddled on Russian hacker forums
March 31, 2022
Researchers have uncovered a new infostealer malware being peddled in Russian underground forums. Dubbed BlackGuard, zScaler says that the new malware strain is “sophisticated” and has been made available to criminal buyers for a monthly price of $200. Infostealers are forms of malware designed to harvest valuable data, potentially including operating system information, contact lists, screenshots, network ...
- Tracking cyber activity in Eastern Europe
March 30, 2022
In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, ...