A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device.
Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager. While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- DDoS Attacks That Employ TCP Amplification Cause Network Congestion, Secondary Outages
November 14, 2019
Over the past month, threat actors have been using a relatively non-conventional approach to mount a flurry of distributed denial-of-service (DDoS) attacks: through TCP amplification. Security company Radware shared its observations on multiple campaigns involving Transmission Control Protocol (TCP) reflection attacks, specifically SYN-ACK reflection attacks, against companies across the world. The scope of the impact was ...
- McAfee antivirus software impacted by code execution vulnerability
November 12, 2019
Researchers have revealed a serious code execution vulnerability impacting all editions of McAfee software. On Tuesday, the SafeBreach Labs cybersecurity team said that CVE-2019-3648 can be used to bypass McAfee’s self-defense mechanisms, potentially leading to further attacks on a compromised system. The vulnerability exists due to a failure to validate whether or not loading DLLs have been signed, and a path ...
- Emotet resurgence packs in new binaries, Trickbot functions
November 6, 2019
Emotet, a Banking Trojan turned devastating modular threat, has returned with upgraded functions in a new wave of attacks. The malware, first discovered in 2014, has evolved over the past few years from a relatively basic, singular threat into a customizable modular package used to deploy additional payloads against financial institutions, the enterprise, and consumers worldwide. Emotet, believed to ...
- Kaspersky identifies mysterious APT mentioned in 2017 Shadow Brokers leak
November 5, 2019
In 2017, a mysterious group of hackers known as the Shadow Brokers published online a data dump called “Lost in Translation.” The data dump — believed to have been obtained from the US National Security Agency (NSA) — contained a collection of exploits and hacking tools, including the now-infamous EternalBlue, the exploit that provided the steam ...
- Buran Ransomware; the Evolution of VegaLocker
November 5, 2019
McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware families ...
- Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
November 4, 2019
The Ryuk ransomware has added two features to enhance its effectiveness: The ability to target systems that are in “standby” or sleep mode; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization. Ryuk, which is distributed by ...