Fortinet Products Under Attack:CISA Demands Expedited Federal Action

Alert essentials:

Hackers are exploiting recently patched flaws in Fortinet products to gain unauthorized administrative access, potentially disrupting patient care and exposing sensitive health data. CISA mandated that federal agencies patch affected devices before the holiday break. Immediate remediation is essential to maintaining the security of healthcare networks.

Detailed threat description:

Earlier in December, Fortinet patched two authentication bypass vulnerabilities affecting products integrated with FortiCloud Single Sign-On (SSO), including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Within days of the fixes’ release, threat actors quickly reverse-engineered the flaws in Fortinet appliances. Both authentication bypasses allow an attacker to log into the tools without valid credentials. Successful exploitation can permit configuration tampering, lateral movement, network compromise, and disruption of clinical systems such as EHR, PACS, and other connected devices.

While adding it to the KEV, CISA issued a mandate that federal organizations apply patches or mitigate CVE-2025-59718 by Tuesday, December 23, 2025. The directive remediation period for less disruptive vulnerabilities is generally 30 days. However, this is the second time in two months that CISA has required a swift patch deployment for Fortinet products. CVE-2025-58034 describes a FortiWeb code injection that was being exploited in November 2025, and federal agencies were afforded one week to patch.

Fortinet has released security updates for all affected products, and customers are urgently encouraged to upgrade to the patched versions. Fixes for the exploited Fortinet vulnerabilities are in FortiOS versions 7.6.4, 7.4.9, 7.2.12, and 7.0.18, FortiProxy versions 7.6.4, 7.4.11, 7.2.15, and 7.0.22, FortiSwitchManager versions 7.2.7 and 7.0.6, and FortiWeb versions 8.0.1, 7.6.5, and 7.4.10.

Defenders are strongly recommended to address these single sign-on weaknesses promptly. If immediate patching isn’t possible, Fortinet recommends disabling the ‘Allow administrative login using FortiCloud SSO’ feature to prevent exploitation.

While FortiCloud SSO is disabled by default, the feature is automatically enabled during FortiCare registration unless administrators explicitly disable the FortiCloud option. This means many organizations may be exposed without realizing it. Avoid costly breaches and operational downtime later by proactively patching now.

Impacts on healthcare organizations:

Healthcare networks are prime targets for cyberattacks, and a vulnerability that allows attackers to bypass authentication is a direct threat to patient safety and data integrity. Exploitation could lead to unauthorized access to EHR systems, medical devices, and critical infrastructure, potentially disrupting care delivery and violating HIPAA compliance.

Hospitals should act immediately by patching all affected Fortinet products. If updates cannot be applied immediately, disable FortiCloud SSO and monitor for suspicious activity.

Affected Products / Versions

• Fortinet FortiOS 7.6.0 through 7.6.3
• FortiOS 7.4.0 through 7.4.8
• FortiOS 7.2.0 through 7.2.11
• FortiOS 7.0.0 through 7.0.17
• FortiProxy 7.6.0 through 7.6.3
• FortiProxy 7.4.0 through 7.4.10
• FortiProxy 7.2.0 through 7.2.14
• FortiProxy 7.0.0 through 7.0.21
• FortiSwitchManager 7.2.0 through 7.2.6
• FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass FortiCloud SSO authentication by sending a crafted SAML response.

CVEs

• CVE-2025-59718, cwe-347, CVSS 9.1
  • Tenable plugins 277980, 277981
• CVE-2025-59719, cwe-347, CVSS 9.1
  • Tenable plugins 277980, 277981
• CVE-2025-58034, cwe-78, CVSS 7.2
  • Tenable plugin 275774

Recommendations

• Schedule emergency maintenance windows if necessary
• Inventory all Fortinet devices in your environment
• Check if FortiCloud SSO is enabled
• Upgrade to the latest Fortinet firmware versions provided
• Switch to local authentication as a temporary safeguard
• Limit management interfaces to trusted IP ranges
• Confirm successful patch deployment across all devices
• Review logs for suspicious admin access attempts or configuration changes
• Enable alerts for configuration changes
• Notify clinical leadership and IT teams

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References:

• CISA: https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalog
• CISA Known Exploitable Vulnerabilities list (KEV): https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034
• CVE-2025-58034: https://www.tenable.com/cve/CVE-2025-58034
• CVE-2025-59718: https://www.tenable.com/cve/CVE-2025-59718
• CVE-2025-59719: https://www.tenable.com/cve/CVE-2025-59719
• Fortinet Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-647
• Fortinet Upgrade Path Tool Table: https://docs.fortinet.com/upgrade-tool/fortigate