The finding stems from enhanced device fingerprinting in a new Device Identification report, which scanned global IP addresses and flagged these systems as openly advertising their SSO configuration.
FortiCloud SSO streamlines authentication for Fortinet’s ecosystem, including firewalls, switches, and access points like the FortiGate series. While convenient for enterprises, exposing this feature publicly can tip off attackers to probe for weaknesses.
The Shadowserver Foundation detected at least 25,000 unique IPs across regions, including North America, Europe, and Asia-Pacific. “This isn’t just noise it’s a clear signal for exposed management interfaces,” the team noted in their advisory.
The exposure raises alarms amid recent Fortinet vulnerabilities. Notably, CVE-2025-59718 and CVE-2025-59719 both rated high severity by CVSS, impacting FortiCloud-integrated systems.
CVE-2025-59718 (CVSS 8.2) involves improper access controls in SSO endpoints, allowing remote unauthenticated attackers to bypass authentication under specific conditions. CVE-2025-59719 (CVSS 7.5) exploits weak session handling, enabling account takeover if combined with phishing or brute-force attempts.
Importantly, not every exposed device is vulnerable. Patching status, configuration nuances, and network segmentation play key roles. “Presence on our scan doesn’t confirm exploitation risk,” the researchers cautioned. “If you receive one of our exposure reports, immediately verify your FortiCloud SSO setup and apply patches.”
Fortinet released fixes in its December 2025 firmware updates (e.g., FortiOS 7.4.4 and 7.2.9), urging admins to disable public SSO exposure where possible.
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiOS 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiOS 7.4 | 7.4.0 – 7.4.8 | 7.4.9+ |
| FortiOS 7.2 | 7.2.0 – 7.2.11 | 7.2.12+ |
| FortiOS 7.0 | 7.0.0 – 7.0.17 | 7.0.18+ |
| FortiProxy 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiProxy 7.4 | 7.4.0 – 7.4.10 | 7.4.11+ |
| FortiProxy 7.2 | 7.2.0 – 7.2.14 | 7.2.15+ |
| FortiProxy 7.0 | 7.0.0 – 7.0.21 | 7.0.22+ |
| FortiSwitchManager 7.2 | 7.2.0 – 7.2.6 | 7.2.7+ |
| FortiSwitchManager 7.0 | 7.0.0 – 7.0.5 | 7.0.6+ |
| FortiWeb 8.0 | 8.0.0 | 8.0.1+ |
| FortiWeb 7.6 | 7.6.0 – 7.6.4 | 7.6.5+ |
| FortiWeb 7.4 | 7.4.0 – 7.4.9 | 7.4.10+ |
Best practices include restricting FortiCloud access to VPN-only or private IPs, enabling multi-factor authentication (MFA), and monitoring logs for anomalous SSO traffic.
Organizations should prioritize scans using tools like Shodan or the researchers’ service. Fortinet customers can query their support portal for tailored assessments. As cloud-managed security blurs lines between on-prem and remote access, vigilance remains critical to thwart remote threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 25,000+ FortiCloud SSO-Enabled Devices Exposed to Remote Attacks appeared first on Cyber Security News.
Google is planning to test changes to how it displays search results for certain topics,…
With AI-backed hiring on the rise, tips for "hacking" your resume are all over social…
Today, we’re talking about the future of Xbox. Phil Spencer, a two–time Decoder guest who’s…
The cybersecurity threat landscape is facing a growing challenge as infostealers continue to dominate the…
A highly sophisticated and previously unreported threat campaign dubbed SeaFlower (藏海花) has been actively targeting…
The Wireshark Foundation has officially released Wireshark 4.6.4, a significant maintenance update for the world’s…
This website uses cookies.