Austria SCERT (EN)

FortiCloud SSO Bypass CVE-2025-59718 Exploitation Analysis

CERT.at published a technical analysis of active exploitation of CVE-2025-59718/59719, a FortiCloud SSO authentication bypass affecting FortiGate and FortiWeb devices running FortiOS. Based on honeypot observations, the analyst documented four distinct attack campaigns: Campaign Zero (invalid PoC requests), Campaign One (exploitation followed by failed config dumps), Campaign Two (successful configuration extraction via POST), and Campaign Three (creation of a new super_admin account with no MFA and unrestricted network access). Fortinet has since confirmed the patches were initially incomplete, later attributing the sustained attacks to a separate FortiCloud SSO integration flaw, and clarified that setups using other SAML SSO Identity Providers are not affected.

Threat Actors Use FortiCloud SSO Bypass to Collect LDAP Connection Passwords

CERT.at published technical findings on an active threat campaign targeting Fortinet FortiGate appliances using CVE-2025-59718/CVE-2025-59719 SSO bypass vulnerabilities. The agency obtained an attacker toolkit revealing post-exploitation activities including LDAP/AD configuration extraction and password collection. Attackers possess the default FortiGate configuration encryption key, which remains static across all instances. CERT.at confirmed the exploit works against unpatched FortiGate 7.6.5 devices and recommends immediate activation of 'private data encryption' feature to replace the default key.

PyPI Package Removal and uv.lock Ghost Installation Vulnerability

CERT.at published a technical analysis on March 10, 2026 explaining that PyPI package removal does not delete underlying distribution files—when a package is removed from the index, the distribution files remain accessible via direct URLs. The uv.lock file format stores these direct URLs, enabling successful reinstallation of removed packages without querying the index. Malicious actors could exploit this by uploading a malicious package, referencing it via uv.lock, then removing it from PyPI before security vendors detect it. The advisory also notes that package names removed by owners can be reclaimed, enabling name-hijacking attacks documented by JFrog.