Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.

Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company’s FortiCare support service.

As cybersecurity company Arctic Wolf reported on Monday, the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.

Threat actors are abusing it in vulnerable products via a maliciously crafted SAML message to gain admin-level access to the web management interface and download system configuration files. These sensitive files expose potentially vulnerable interfaces, hashed passwords that attackers may crack, internet-facing services, network layouts, and firewall policies.

Today, Shadowserver said it’s tracking over 25,000 IP addresses with a FortiCloud SSO fingerprint, more than 5,400 in the United States and nearly 2,000 in India.

However, there is currently no information regarding how many have been secured against attacks exploiting the CVE-2025-59718/CVE-2025-59719 vulnerability.

​Macnica threat researcher Yutaka Sejiyama also told BleepingComputer that his scans returned over 30,000 Fortinet devices with FortiCloud SSO enabled, which also expose vulnerable web management interfaces to the internet.

“Given how frequently FortiOS admin GUI vulnerabilities have been exploited in the past, it is surprising that this many admin interfaces remain publicly accessible,” Sejiyama said.

On Tuesday, CISA added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week, by December 23rd, as mandated by the Binding Operational Directive 22-01.

Fortinet security flaws are frequently exploited by cyber-espionage, cybercrime, or ransomware groups, often as zero-day vulnerabilities.

For instance, in February, Fortinet disclosed that the notorious Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws (CVE-2023-27997 and CVE-2022-42475) to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware.

More recently, in November, Fortinet warned of a FortiWeb zero-day (CVE-2025-58034) being exploited in the wild, one week after confirming that it had silently patched another FortiWeb zero-day (CVE-2025-64446) that was abused in widespread attacks.