📖 4 min read

Your Fortinet firewall might be wide open right now. I saw this hit Tuesday and had to read it twice — a critical SSO bypass is being actively exploited, CISA just dropped a federal patch deadline of December 23, and most orgs don't even know the feature was auto-enabled. Meanwhile, NIST finally published a framework for AI security—and your board is going to ask about it. Let's get into it.

Two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719, both CVSS 9.8) are letting attackers bypass authentication on FortiGate firewalls via crafted SAML messages. Arctic Wolf observed active exploitation starting December 12, with attackers exfiltrating device configurations containing hashed admin credentials.

Here's the kicker: FortiCloud SSO auto-enables when you register for FortiCare support unless you explicitly disable it. Many teams don't even know it's on. CISA added this to the Known Exploited Vulnerabilities catalog on December 16 with a federal deadline of December 23—four days from now.

🔐 CISO Take: Check if FortiCloud SSO is enabled today—it may have been turned on without your knowledge during FortiCare registration. If you don't need cloud-based SSO, disable it. If you do, patch immediately and rotate any admin credentials that may have been exposed.

⚙️ CTO Take: Review your SAML implementation across the stack. The attack vector here—crafted SAML assertions—isn't unique to Fortinet. If you're federating identity across multiple systems, audit how each one validates SAML signatures and assertions.

📡 Network signal: "We have several SaaS tools not integrated with our SSO, and we have no visibility into their security configurations." — Director of IT Security, Real Estate Industry Association. The Fortinet exploit shows why that blind spot is dangerous.

NIST published NISTIR 8596, the Cybersecurity Framework Profile for AI, on December 16. This is the first federal framework applying CSF 2.0 specifically to AI systems, covering three areas: securing AI systems, using AI for cyber defense, and defending against AI-enabled attacks.

The document drew input from 6,500+ contributors and is open for a 45-day comment period ending January 30, 2026.

🔐 CISO Take: Download NISTIR 8596 this week and map it against your current AI risk assessments. Even in draft form, this will become the de facto standard auditors and regulators reference. Getting ahead of it now means fewer surprises later.

💻 CIO Take: Use this as your board-ready answer to "what's our AI governance posture?" The three-pillar structure—secure AI, defend with AI, defend against AI—gives you a framework for that conversation.

⚙️ CTO Take: The "secure AI systems" pillar maps directly to your ML pipeline: model signing and verification, training data lineage tracking, runtime integrity monitoring for inference endpoints. Check Section 3.1 for what "secure by design" looks like for AI systems. Gaps now become audit findings later.

📡 Network signal: "We have many individuals investing in AI products within our network. We have no safeguards in place besides written policies." — Director of IT Operations, Global Services Company. NIST just gave you the framework to move from policies to controls.

CIO.com reports that 70% of regulated enterprises replace at least part of their AI stacks every three months. "IT departments used to go through big arcs of planning, and then transform their tech stack," says one AI platform CEO. "Right now, they get halfway through planning, and the technology has moved so far they have to start over."

The problem isn't just speed—it's signal-to-noise. Hundreds of AI vendors have flooded the market. Distinguishing working solutions from vaporware is a full-time job, and CIOs are stuck in perpetual evaluation mode while competitors ship.

🔐 CISO Take: Rapid stack turnover means security reviews can't keep pace. Set a minimum baseline any AI tool must meet before pilot: SSO integration, audit logging, data residency confirmation. Shadow AI doesn't care about your evaluation timeline.

💻 CIO Take: Stop treating AI pilots like traditional IT projects. Build a 90-day evaluation framework with clear kill criteria: adoption rate, time-to-value, integration complexity. No measurable value in one quarter? Cut it.

⚙️ CTO Take: Architect for portability from day one. Define a standard model interface layer that abstracts provider-specific APIs. The tool you pick today probably won't be the tool in 18 months. Rip-and-replace should be a config change, not a rewrite.

📡 Network signal: "Like most large organizations, we run cyber risk through a patchwork of tools." — Cyber Security Executive, Major Financial Institution. The pattern: AI mentions peaked at 30% in mid-2024, now down to 16%. Automation mentions are up 2.5x. Leaders aren't giving up on AI — they're getting specific about what it actually means for operations.

The theme this week: The bill is coming due.

Vendor replacement mentions in network submissions more than doubled year-over-year. Pandemic-era contracts are hitting renewal, and leaders are asking harder questions.

The Fortinet exploit lands at exactly the wrong time. When your firewall vendor auto-enables features that expand your attack surface, "we'll evaluate alternatives at renewal" becomes "we're evaluating alternatives now."

Meanwhile, the AI hype cycle is doing what hype cycles do. AI mentions peaked at 30% of submissions in mid-2024. This quarter: 16%. The pilots didn't disappear — they became governance problems. Automation mentions are up 2.5x over two years. Leaders stopped asking "what can AI do?" and started asking "what can we operationalize?"

2025 is the year the shortcuts catch up with you. NIST just gave you a framework. Use it before the auditors do.

What's your AI pilot kill rate? Shipping or stuck in perpetual evaluation? Reply and let me know—I'll share patterns in a future issue.

The CXO Brief is powered by DoGood, a network of 5,000+ IT leaders who share priorities, evaluate vendors, and earn $200-400 per qualified conversation. You control your calendar. Every meeting is opt-in, pre-screened, and paid.

Apply to Join →