{"id":9366,"date":"2025-12-20T10:03:39","date_gmt":"2025-12-20T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/20\/25000-forticloud-sso-enabled-devices-exposed-to-remote-attacks\/"},"modified":"2025-12-20T10:03:39","modified_gmt":"2025-12-20T10:03:39","slug":"25000-forticloud-sso-enabled-devices-exposed-to-remote-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/20\/25000-forticloud-sso-enabled-devices-exposed-to-remote-attacks\/","title":{"rendered":"25,000+ FortiCloud SSO-Enabled Devices Exposed to Remote Attacks"},"content":{"rendered":"<p>    25,000+ FortiCloud SSO-Enabled Devices Exposed to Remote Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Over 25,000 Fortinet devices worldwide with FortiCloud <a href=\"https:\/\/cybersecuritynews.com\/best-exposure-management-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">Single Sign-On (SSO)<\/a> enabled, leaving them potentially exposed to remote attacks.<\/p>\n<p>The finding stems from enhanced device fingerprinting in a new Device Identification report, which scanned global IP addresses and flagged these systems as openly advertising their SSO configuration.<\/p>\n<p>FortiCloud SSO streamlines authentication for Fortinet\u2019s ecosystem, including firewalls, switches, and access points like the FortiGate series. While convenient for enterprises, exposing this feature publicly can tip off attackers to probe for weaknesses. <\/p>\n<p>The Shadowserver Foundation detected at least 25,000 unique IPs across regions, including North America, Europe, and Asia-Pacific. \u201cThis isn\u2019t just noise it\u2019s a clear signal for exposed management interfaces,\u201d the team noted in their advisory.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We added fingerprinting of Fortinet devices with FortiCloud SSO enabled to our Device Identification reporting (at least 25K IPs seen globally). While not necessarily vulnerable to CVE-2025-59718\/CVE-2025-59719 if you get a report from us regarding exposure, please verify\/patch! <a href=\"https:\/\/t.co\/u0ts0vFMBa\">pic.twitter.com\/u0ts0vFMBa<\/a><\/p>\n<p>\u2014 The Shadowserver Foundation (@Shadowserver) <a href=\"https:\/\/twitter.com\/Shadowserver\/status\/2001988423247339649?ref_src=twsrc%5Etfw\">December 19, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>The exposure raises alarms amid recent Fortinet vulnerabilities. Notably, <a href=\"https:\/\/cybersecuritynews.com\/fortigate-devices-sso-vulnerabilities\/\">CVE-<\/a><a href=\"https:\/\/cybersecuritynews.com\/fortigate-devices-sso-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">2<\/a><a href=\"https:\/\/cybersecuritynews.com\/fortigate-devices-sso-vulnerabilities\/\">025-59718<\/a> and CVE-2025-59719 both rated high severity by CVSS, impacting FortiCloud-integrated systems.<\/p>\n<p>CVE-2025-59718 (CVSS 8.2) involves improper access controls in SSO endpoints, allowing remote unauthenticated attackers to bypass authentication under specific conditions. <a href=\"https:\/\/cybersecuritynews.com\/fortigate-devices-sso-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-59719<\/a> (CVSS 7.5) exploits weak session handling, enabling account takeover if combined with phishing or brute-force attempts.<\/p>\n<p>Importantly, not every exposed device is vulnerable. Patching status, configuration nuances, and network segmentation play key roles. \u201cPresence on our scan doesn\u2019t confirm exploitation risk,\u201d the researchers cautioned. \u201cIf you receive one of our exposure reports, immediately verify your FortiCloud SSO setup and apply patches.\u201d<\/p>\n<p>Fortinet released fixes in its December 2025 firmware updates (e.g., FortiOS 7.4.4 and 7.2.9), urging admins to disable public SSO exposure where possible.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Product<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Affected Versions<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Fixed Version<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>FortiOS 7.6<\/td>\n<td>7.6.0 \u2013 7.6.3<\/td>\n<td>7.6.4+<\/td>\n<\/tr>\n<tr>\n<td>FortiOS 7.4<\/td>\n<td>7.4.0 \u2013 7.4.8<\/td>\n<td>7.4.9+<\/td>\n<\/tr>\n<tr>\n<td>FortiOS 7.2<\/td>\n<td>7.2.0 \u2013 7.2.11<\/td>\n<td>7.2.12+<\/td>\n<\/tr>\n<tr>\n<td>FortiOS 7.0<\/td>\n<td>7.0.0 \u2013 7.0.17<\/td>\n<td>7.0.18+<\/td>\n<\/tr>\n<tr>\n<td>FortiProxy 7.6<\/td>\n<td>7.6.0 \u2013 7.6.3<\/td>\n<td>7.6.4+<\/td>\n<\/tr>\n<tr>\n<td>FortiProxy 7.4<\/td>\n<td>7.4.0 \u2013 7.4.10<\/td>\n<td>7.4.11+<\/td>\n<\/tr>\n<tr>\n<td>FortiProxy 7.2<\/td>\n<td>7.2.0 \u2013 7.2.14<\/td>\n<td>7.2.15+<\/td>\n<\/tr>\n<tr>\n<td>FortiProxy 7.0<\/td>\n<td>7.0.0 \u2013 7.0.21<\/td>\n<td>7.0.22+<\/td>\n<\/tr>\n<tr>\n<td>FortiSwitchManager 7.2<\/td>\n<td>7.2.0 \u2013 7.2.6<\/td>\n<td>7.2.7+<\/td>\n<\/tr>\n<tr>\n<td>FortiSwitchManager 7.0<\/td>\n<td>7.0.0 \u2013 7.0.5<\/td>\n<td>7.0.6+<\/td>\n<\/tr>\n<tr>\n<td>FortiWeb 8.0<\/td>\n<td>8.0.0<\/td>\n<td>8.0.1+<\/td>\n<\/tr>\n<tr>\n<td>FortiWeb 7.6<\/td>\n<td>7.6.0 \u2013 7.6.4<\/td>\n<td>7.6.5+<\/td>\n<\/tr>\n<tr>\n<td>FortiWeb 7.4<\/td>\n<td>7.4.0 \u2013 7.4.9<\/td>\n<td>7.4.10+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Best practices include restricting FortiCloud access to VPN-only or private IPs, enabling multi-factor <a href=\"https:\/\/cybersecuritynews.com\/authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">authentication<\/a> (MFA), and monitoring logs for anomalous SSO traffic.<\/p>\n<p>Organizations should prioritize scans using tools like Shodan or the researchers\u2019 service. Fortinet customers can query their support portal for tailored assessments. As cloud-managed security blurs lines between on-prem and remote access, vigilance remains critical to thwart remote threats.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/forticloud-sso-enabled-devices-exposed\/\">25,000+ FortiCloud SSO-Enabled Devices Exposed to Remote Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/forticloud-sso-enabled-devices-exposed\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>25,000+ FortiCloud SSO-Enabled Devices Exposed to Remote Attacks Over 25,000 Fortinet devices worldwide with FortiCloud Single Sign-On (SSO) enabled, leaving them potentially exposed to remote attacks. The finding stems from enhanced device fingerprinting in a new Device Identification report, which scanned global IP addresses and flagged these systems as openly advertising their SSO configuration. FortiCloud [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-9366","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9366"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9366"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9366\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}