Over 25,000 Fortinet gadgets worldwide with FortiCloud Single Signal-On (SSO) enabled, leaving them probably uncovered to distant assaults.
The discovering stems from enhanced system fingerprinting in a brand new Gadget Identification report, which scanned international IP addresses and flagged these methods as overtly promoting their SSO configuration.
FortiCloud SSO streamlines authentication for Fortinet’s ecosystem, together with firewalls, switches, and entry factors just like the FortiGate collection. Whereas handy for enterprises, exposing this function publicly can tip off attackers to probe for weaknesses.
The Shadowserver Basis detected at the very least 25,000 distinctive IPs throughout areas, together with North America, Europe, and Asia-Pacific. “This isn’t simply noise it’s a transparent sign for uncovered administration interfaces,” the crew famous of their advisory.
We added fingerprinting of Fortinet gadgets with FortiCloud SSO enabled to our Gadget Identification reporting (at the very least 25K IPs seen globally). Whereas not essentially susceptible to CVE-2025-59718/CVE-2025-59719 when you get a report from us concerning publicity, please confirm/patch! pic.twitter.com/u0ts0vFMBa— The Shadowserver Basis (@Shadowserver) December 19, 2025
The publicity raises alarms amid latest Fortinet vulnerabilities. Notably, CVE-2025-59718 and CVE-2025-59719 each rated excessive severity by CVSS, impacting FortiCloud-integrated methods.
CVE-2025-59718 (CVSS 8.2) includes improper entry controls in SSO endpoints, permitting distant unauthenticated attackers to bypass authentication underneath particular situations. CVE-2025-59719 (CVSS 7.5) exploits weak session dealing with, enabling account takeover if mixed with phishing or brute-force makes an attempt.
Importantly, not each uncovered system is susceptible. Patching standing, configuration nuances, and community segmentation play key roles. “Presence on our scan doesn’t verify exploitation danger,” the researchers cautioned. “In case you obtain considered one of our publicity experiences, instantly confirm your FortiCloud SSO setup and apply patches.”
Fortinet launched fixes in its December 2025 firmware updates (e.g., FortiOS 7.4.4 and seven.2.9), urging admins to disable public SSO publicity the place doable.
ProductAffected VersionsFixed VersionFortiOS 7.67.6.0 – 7.6.37.6.4+FortiOS 7.47.4.0 – 7.4.87.4.9+FortiOS 7.27.2.0 – 7.2.117.2.12+FortiOS 7.07.0.0 – 7.0.177.0.18+FortiProxy 7.67.6.0 – 7.6.37.6.4+FortiProxy 7.47.4.0 – 7.4.107.4.11+FortiProxy 7.27.2.0 – 7.2.147.2.15+FortiProxy 7.07.0.0 – 7.0.217.0.22+FortiSwitchManager 7.27.2.0 – 7.2.67.2.7+FortiSwitchManager 7.07.0.0 – 7.0.57.0.6+FortiWeb 8.08.0.08.0.1+FortiWeb 7.67.6.0 – 7.6.47.6.5+FortiWeb 7.47.4.0 – 7.4.97.4.10+
Greatest practices embody proscribing FortiCloud entry to VPN-only or personal IPs, enabling multi-factor authentication (MFA), and monitoring logs for anomalous SSO visitors.
Organizations ought to prioritize scans utilizing instruments like Shodan or the researchers’ service. Fortinet prospects can question their assist portal for tailor-made assessments. As cloud-managed safety blurs strains between on-prem and distant entry, vigilance stays important to thwart distant threats.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
