A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device.
Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager. While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft
September 7, 2021
In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines. The vulnerability, CVE-2021-40444, is described as a hole in MSHTML, Internet Explorer’s browser engine. Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing ...
- Netgear Smart Switches Open to Complete Takeover
September 7, 2021
Three severe Netgear vulnerabilities, codenamed Demon’s Cries, Draconian Fear and Seventh Inferno by the researcher that found them, affect 20 of the company’s managed smart switches and could allow an attacker to take them over. The bugs were patched on Friday with zero technical details made available, but the researcher has now released more details on ...
- REvil ransomware group resurfaces after brief hiatus
September 7, 2021
The operators behind the REvil ransomware group have resurfaced after allegedly closing shop following the widespread attack on Kaseya that caused thousands of victims on July 4. Security researchers said all of the dark web sites for the prolific ransomware group — including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation ...
- TrickBot gang developer arrested when trying to leave Korea
September 6, 2021
An alleged Russian developer for the notorious TrickBot malware gang was arrested in South Korea after attempting to leave the country. The TrickBot cybercrime group is responsible for a variety of sophisticated malware targeting Windows and Linux devices to gain access to victim’s networks, steal data, and deploy other malware, such as ransomware. Seoul’s KBS (via The ...
- East Asian online organised crime group preying on British job seekers
September 6, 2021
An organised group of criminals based in East Asia have defrauded job seekers in the UK and worldwide after getting a scam app on to both the Google and Apple app stores. Working with victims who have tried to track down their scammers, Sky News has learnt they were operating from Cambodia, the Philippines and China, ...
- Norwegian student tracks Bluetooth headset wearers by wardriving around Oslo on a bicycle
September 4, 2021
A Norwegian student who went wardriving around Oslo on a pushbike has discovered that several popular models of Bluetooth headphones don’t implement MAC address randomisation – meaning they can be used to track their wearers. Norwegian state broadcaster NRK revealed Bjorn Hegnes’ findings after helping him analyse Bluetooth emissions from a dozen different models of audio ...