A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device.
Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager. While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Recent ransomware wave targeting Israel linked to Iranian threat actors
November 11, 2020
Two recent ransomware waves that targeted Israeli companies have been traced back to Iranian threat actors, multiple sources have told ZDNet today. The ransomware attacks have been taking place since mid-October, have ramped up this month, and have repeatedly focused on Israeli targets. Israeli companies of all sizes have been targeted by threat actors using the Pay2Key ...
- CVE-2020-17051: Remote kernel heap overflow in NFSv3 Windows Server
November 10, 2020
Microsoft released a patch today for a critical vulnerability (CVE-2020-17051) in the Windows NFSv3 (Network File System) server. NFS is typically used in heterogenous environments of Windows and Unix/Linux for file sharing. The vulnerability can be reproduced to cause an immediate BSOD (Blue Screen of Death) within the nfssvr.sys driver. Interestingly, the November patches from ...
- New Platypus attack can steal data from Intel CPUs
November 10, 2020
A team of academics has disclosed today a new attack method that can extract data from Intel CPUs. Named Platypus, an acronym for “Power Leakage Attacks: Targeting Your Protected User Secrets,” the attack targets the RAPL interface of Intel processors. RAPL, which stands for Running Average Power Limit, is a component that allows firmware or software applications ...
- A Closer Look at the Web Skimmer
November 9, 2020
The formjacking attack has been one of the fastest-growing cyberattacks in recent years. As explained in our previous blog, “Anatomy of Formjacking Attacks,” the formjacking attack is easy to deploy but hard to detect. It has gained popularity among threat actors, especially against e-commerce websites. Between May and September 2020, we detected an average of ...
- Ghimob: a Tétrade threat actor moves to infect mobile devices
November 9, 2020
Guildma, a threat actor that is part of the Tétrade family of banking trojans, has been working on bringing in new techniques, creating new malware and targeting new victims. Recently, their new creation, the Ghimob banking trojan, has been a move toward infecting mobile devices, targeting financial apps from banks, fintechs, exchanges and cryptocurrencies in ...
- An Old Joker’s New Tricks: Using Github To Hide Its Payload
November 9, 2020
The Joker malware has consistently plagued mobile users since its discovery in 2017. In January 2020, Google removed 1700 infected applications from the Play Store — a list that grew over three years. More recently, in September, security company Zscaler found 17 samples that were uploaded to the Google Play Store. Joker has been responsible ...