Threat actors have quickly begun to exploit two recently disclosed security vulnerabilities in Fortinet FortiGate devices, acting less than one week after the flaws were made public. Cybersecurity company Arctic Wolf reported that it has observed active intrusions involving malicious single sign-on logins specifically on vulnerable FortiGate appliances starting December 12, 2025. These attacks are targeting two critical authentication bypass flaws identified as CVE-2025-59718 and CVE-2025-59719, both of which carry a high CVSS severity score of 9.8. Fortinet had released patches for these issues last week, providing updates for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Arctic Wolf Labs stated that these critical vulnerabilities enable an unauthenticated bypass of the standard SSO login authentication process. This exploit is achieved through the use of specially crafted SAML messages, but it is only possible if the FortiCloud SSO feature is currently enabled on the affected devices. It is important for administrators to note that while the FortiCloud SSO feature is disabled by default upon initial installation, it is automatically activated when a device undergoes FortiCare registration unless the administrators take explicit action to turn it off by using the “Allow administrative login using FortiCloud SSO” setting on the registration page.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
The malicious activity documented by Arctic Wolf involved the use of IP addresses linked to a limited group of hosting providers, including The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited. These specific addresses were used by the attackers to execute the malicious SSO logins against the default “admin” account on the vulnerable devices. Following the successful initial login, the attackers have subsequently been observed exporting the device’s comprehensive configuration files directly through the graphical user interface to the same external IP addresses from which the login originated.
A spokesperson for Arctic Wolf Labs has confirmed that the ongoing campaign is believed to be in its initial stages and has indicated that only a relatively small fraction of the monitored networks have been affected by the observed exploitation. The company further noted that its investigation into the exact origin and specific nature of this threat activity is still underway, and consequently, they are not yet able to formally attribute the attacks to any known specific threat actor group. The pattern of activity seen so far has been characterized by the lab as appearing to be opportunistic in its method and targeting.
In light of this confirmed and ongoing exploitation activity, organizations that utilize Fortinet devices are strongly advised to apply the available patches as quickly as possible. As immediate mitigation steps for those who cannot patch instantly, it is considered essential to disable the FortiCloud SSO feature completely until the instances have been successfully updated to the latest secure version. Furthermore, it is recommended to limit access to the management interfaces of both firewalls and VPNs strictly to trusted internal users. Arctic Wolf also cautioned that since device configurations contain hashed credentials, customers should assume compromise and immediately reset any stored firewall credentials if they find indicators of compromise consistent with this campaign.
Source: Fortinet FortiGate Under Attack Via SAML SSO Authentication Bypass Active Misuse