嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读这篇文章,理解其主要内容。 文章讲的是黑客利用Fortinet的两个关键漏洞CVE-2025-59718和CVE-2025-59719,在补丁发布几天后就开始攻击。这些漏洞影响了多个产品,包括FortiOS、FortiWeb、FortiProxy和FortiSwitchManager。攻击者通过恶意的SSO登录来绕过认证,下载配置文件,进而获取敏感信息。 接下来,我需要提取关键信息:漏洞名称、CVSS评分、受影响的产品、攻击方式以及建议的缓解措施。然后,把这些信息浓缩到100字以内,确保内容准确且简洁。 可能会遇到的问题是如何在有限的字数内涵盖所有重要点。比如,漏洞如何被利用、影响范围以及应对措施。我需要选择最重要的部分来突出显示。 最后,检查一下是否符合用户的要求:中文总结、不超过100字、没有特定开头。确保语言流畅自然。 </think> 黑客利用Fortinet的两个关键漏洞CVE-2025-59718和CVE-2025-59719(CVSS评分9.1),在补丁发布几天后开始攻击,影响FortiOS、FortiWeb等产品。攻击者通过恶意SSO登录绕过认证,下载设备配置文件以获取敏感信息。建议用户升级版本并禁用FortiCloud SSO登录功能以缓解风险。 2025-12-16 15:40:34 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
Hackers are exploiting critical Fortinet flaws days after patch release
Pierluigi Paganini
December 16, 2025
Threat actors are exploiting two critical Fortinet flaws, tracked as CVE-2025-59718 and CVE-2025-59719, days after patch release, impacting multiple Fortinet products.
Threat actors started exploiting two critical flaws, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.1), in Fortinet products days after patch release, Arctic Wolf warns.
Last week, Fortinet addressed 18 vulnerabilities, including the two flaws CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled.
Both vulnerabilities are improper verification of cryptographic signature issues.
An improper signature-verification flaw in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager lets an unauthenticated attacker bypass FortiCloud SSO login using a crafted SAML message, if the feature is enabled. FortiCloud SSO is disabled by default, but it activates automatically during FortiCare registration unless the admin disables the “Allow administrative login using FortiCloud SSO” toggle.
“Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch “Allow administrative login using FortiCloud SSO” in the registration page, FortiCloud SSO login is enabled upon registration.” reads the advisory.
The vendor recommends disabling the FortiCloud login feature (if enabled) until upgrading to a non-affected version, as a temporary mitigation.
Below are the impacted versions:
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | Upgrade to 7.0.18 or above |
| FortiOS 6.4 | Not affected | Not Applicable |
| FortiProxy 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.14 | Upgrade to 7.2.15 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.21 | Upgrade to 7.0.22 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
| FortiWeb 8.0 | 8.0.0 | Upgrade to 8.0.1 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiWeb 7.2 | Not affected | Not Applicable |
| FortiWeb 7.0 | Not affected | Not Applicable |
The vulnerabilities were internally discovered and reported by Yonghui Han and Theo Leleu of Fortinet Product Security team.
Arctic Wolf researchers observed attackers began exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued. The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers. After gaining access, the attackers exported device configurations via the GUI. These files include hashed credentials, which threat actors can attempt to crack offline, increasing the risk of further compromise.
“In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter.” Arctic Wolf warns.
The experts reported that recent intrusions involved malicious SSO logins to FortiGate devices originating from a small set of hosting providers. Attackers primarily targeted the admin account, successfully authenticating via SSO from specific IP addresses. After gaining access, they used the FortiGate GUI to download device configuration files, exporting them to the same source IPs. Arctic Wolf reports having detection mechanisms in place to identify this activity and will continue monitoring and alerting customers about further suspected exploitation.
Administrators are urged to check for signs of compromise, reset credentials if needed, and restrict firewall management access to trusted networks. Fortinet has released patches across multiple FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb versions, and advises disabling FortiCloud SSO admin login to mitigate exploitation risks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet)
如有侵权请联系:admin#unsafe.sh