Threat actors have begun exploiting two newly disclosed critical vulnerabilities in Fortinet FortiGate devices less than a week after their public disclosure, according to cybersecurity firm Arctic Wolf.
Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on December 12, 2025. The attacks target two authentication bypass flaws tracked as CVE-2025-59718 and CVE-2025-59719. Fortinet released patches for the issues across its FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products.
“These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected devices,” Arctic Wolf Labs explained in a blog post.
While FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators explicitly turn it off. Arctic Wolf noted that the observed attacks originated from IP addresses linked to a small number of hosting providers, including The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited, and targeted the “admin” account.
Following successful logins, attackers were seen exporting device configurations through the graphical user interface to the same IP addresses.
Given the active exploitation, organizations are strongly advised to apply patches as soon as possible. As mitigation steps, security teams should disable FortiCloud SSO until systems are fully updated and restrict access to firewall and VPN management interfaces to trusted internal users only.