CISA: Multiple Fortinet Products Exploited In Attacks, Rapid Patching Urged

For the second time in the past month, the U.S. cybersecurity agency issued an advisory giving government agencies just a week to remediate an exploited vulnerability in Fortinet products.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging Fortinet customers to prioritize patching for a critical-severity vulnerability, which impacts multiple products from the vendor and has been exploited in cyberattacks.

CISA confirmed in an advisory Tuesday that the vulnerability impacting Fortinet FortiOS, FortiSwitchMaster, FortiProxy and FortiWeb (tracked as CVE-2025-59718) has seen exploitation by threat actors.

CRN has reached out to Fortinet for comment.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA wrote in its advisory. The agency said it “strongly urges all organizations” that are affected to prioritize patching activities.

CISA is requiring federal agencies to implement patches for the flaw, which was added to its catalog of vulnerabilities known to have seen exploitation Tuesday, by Dec. 23.

That makes this the second time in the past month that CISA has given government agencies just a week to remediate an exploited Fortinet vulnerability, following the mandate issued Nov. 18 over a FortiWeb vulnerability.

In the case of the critical-severity vulnerability affecting multiple Fortinet products, the flaw was initially disclosed by the cybersecurity vendor Dec. 9.

The vulnerability—which involves improper verification of cryptographic signatures—“may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,” Fortinet said in its disclosure.

Fortinet recommended that organizations temporarily disable the FortiCloud login feature until fixes are implemented.