FortiCloud SSO Exposure — 25,000 Devices Vulnerable and Cyber Attacks Active

A critical security gap in FortiCloud's Single Sign-On (SSO) system has left more than 25,000 devices open to potential compromise. Security researchers are already tracking active exploitation, where hackers use the flaw to bypass authentication and seize control of administrative accounts.

With so many systems at risk, organisations are being urged to patch immediately or disable the feature to block incoming threats.

A Growing Target: 25,000 Systems Found Open to Attack

Shadowserver, the online safety monitor, identified more than 25,000 Fortinet units accessible on the web with FortiCloud SSO turned on. This discovery comes as hackers actively exploit a serious flaw that allows them to skip identity checks. These ongoing incidents highlight the urgent risk to networks using the vulnerable feature.

When Fortinet issued fixes on 9 December for the vulnerabilities identified as CVE-2025-59718 and CVE-2025-59719, the firm clarified that the risky FortiCloud SSO entry point stays inactive by default. This login tool only switches on once administrators link their hardware to the business' FortiCare support platform.

According to a report from the cybersecurity firm Arctic Wolf on 12 December, hackers are now actively exploiting the vulnerability. The report states that they are using fraudulent single sign-on (SSO) credentials to gain access to administrative accounts.

The SSO Entry Point: From Registration to Risk

Cybercriminals are exploiting this flaw in affected products by sending a fake SAML message. This allows them to obtain administrative rights to the web control panel and steal system setup data. These high-risk files reveal exposed management portals, scrambled passwords that might be decrypted, public-facing tools, internal network maps, and security rules.

Shadowserver posted on BlueSky last week that they are monitoring over 25,000 IP addresses linked to FortiCloud SSO. Of these, more than 5,400 are located in the United States, while nearly 2,000 are in India. However, it remains unclear how many of these systems have been patched to defend against attacks targeting the CVE-2025-59718 and CVE-2025-59719 flaws.

Yutaka Sejiyama, a threat researcher at Macnica, also informed BleepingComputer that his own probes found more than 30,000 Fortinet units with FortiCloud SSO active. These systems also leave their at-risk web management portals open to the public internet.

'Given how frequently FortiOS admin GUI vulnerabilities have been exploited in the past, it is surprising that this many admin interfaces remain publicly accessible,' Sejiyama said.

On Tuesday, CISA added the FortiCloud SSO authentication bypass flaw to its list of actively exploited vulnerabilities. Under the Binding Operational Directive 22-01, the agency ordered U.S. government departments to apply patches within one week, setting a deadline of 23 December.

The Zero-Day Trend: Recent Flaws in FortiWeb and FortiOS

Security weaknesses in Fortinet systems are a frequent target for espionage, digital crime, and ransomware groups, who often use 'zero-day' exploits to strike before a fix is available.

In February, for instance, Fortinet revealed that the Chinese hacking collective Volt Typhoon exploited two security gaps in FortiOS SSL VPN. By leveraging CVE-2023-27997 and CVE-2022-42475, the group established a backdoor into a Dutch Ministry of Defence network using a custom remote access trojan (RAT) known as 'Coathanger.'

More recently, in November, Fortinet cautioned that a FortiWeb 'zero-day' vulnerability, identified as CVE-2025-58034, was being used in active attacks. This followed their confirmation just one week prior that they had quietly fixed another FortiWeb flaw, CVE-2025-64446, which had been exploited in broad campaigns.