25,000+ FortiCloud SSO-Enabled Systems Vulnerable to Remote Exploitation

The Shadowserver Foundation has discovered over 25,000 internet-facing Fortinet devices globally with FortiCloud Single Sign-On (SSO) functionality enabled, raising concerns about potential exposure to critical authentication bypass vulnerabilities.

Recently, the non-profit security organization added fingerprinting capabilities for these systems to its Device Identification reporting service, alerting network administrators to verify their security posture immediately and take necessary actions to prevent potential attacks.

Mass Exposure Discovered Through Global Scanning

According to Shadowserver’s latest scan results, at least 25,000 IP addresses worldwide are hosting Fortinet devices configured with FortiCloud SSO enabled, creating a significant attack surface that threat actors could exploit.

Although not all exposed systems are necessarily vulnerable, the discovery highlights the importance of verifying patch status and implementing security updates without delay to prevent potential attacks.

Organizations receiving exposure notifications from Shadowserver are urged to take immediate action to verify their patch status and implement security updates to prevent potential exploitation of the vulnerabilities.

The alert specifically references CVE-2025-59718 and CVE-2025-59719, two critical authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products, which carry a CVSS v3 score of 9.1.

Exposing FortiCloud SSO implementations creates opportunities for unauthorized access to enterprise network infrastructure, which could lead to network compromise, data exfiltration, or deployment of additional malware.

Fortinet customers should immediately verify whether their devices appear in Shadowserver’s reporting and confirm their patch status to prevent potential attacks.

The vendor has released security updates for affected product versions, and organizations should prioritize upgrading to patched releases to prevent exploitation of the vulnerabilities.

As a temporary mitigation, administrators can turn off FortiCloud SSO functionality in system settings or via CLI commands until patches are deployed, reducing the risk of potential attacks.

The Shadowserver Foundation provides free security scanning reports to network owners worldwide, helping identify vulnerable or misconfigured systems before attackers discover them, and organizations that have not registered for these notifications should consider doing so to receive timely alerts about exposed infrastructure.

By registering for these notifications, organizations can take proactive steps to protect their networks and prevent potential attacks, ensuring the security and integrity of their infrastructure.

Related Articles

Back to top button
RzMWdj UNaLmGpxlm ijwKSqa x