Adversaries are now actively exploiting two recently disclosed vulnerabilities in Fortinet FortiGate devices, with exploitation beginning less than a week after public disclosure.

Arctic Wolf reported observing live intrusions on December 12, 2025, involving malicious single sign-on (SSO) activity against FortiGate appliances. The activity leverages two critical authentication bypass issues (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8). Fortinet issued fixes for these bugs last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

“These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected devices,” Arctic Wolf Labs said in a new bulletin.

While FortiCloud SSO is disabled by default, it is automatically enabled as part of FortiCare registration unless administrators explicitly turn it off using the “Allow administrative login using FortiCloud SSO” control on the registration page.

In the activity Arctic Wolf has tracked, IP addresses tied to a small set of hosting providers, including The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited, have been used to perform malicious SSO logins against the “admin” account.

After obtaining access, the threat actors have been observed exporting device configurations through the GUI and sending them to the same IP addresses.

Given that exploitation is already underway, organizations should prioritize deploying the vendor patches. As interim mitigations, disable FortiCloud SSO until all instances are upgraded to fixed versions, and restrict management-plane access for firewalls and VPNs to trusted internal networks and administrative users only.

“Although credentials are typically hashed in network appliance configurations, threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks,” Arctic Wolf said.

Fortinet customers who identify indicators of compromise (IoCs) that align with this activity should operate under an assumed-compromise model and reset any hashed firewall credentials present in the exfiltrated configuration files.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.