Cybersecurity researchers have confirmed active attacks on Fortinet FortiGate devices exploiting two recently disclosed authentication vulnerabilities, less than a week after they were made public.
Arctic Wolf, a cybersecurity firm, reported observing malicious single sign-on (SSO) login attempts on FortiGate appliances on December 12, 2025. The attacks target two critical authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, with CVSS scores of 9.8. Fortinet released patches for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager last week.
“These vulnerabilities enable attackers to bypass SSO authentication without credentials through specially crafted SAML messages if the FortiCloud SSO feature is active on affected devices,” Arctic Wolf Labs stated in their advisory.
Although FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators manually deactivate it using the “Allow administrative login using FortiCloud SSO” setting.
The observed attacks originated from IP addresses linked to select hosting providers, including The Constant Company LLC, Bl Networks, and Kaopu Cloud HK Limited, targeting the “admin” account. Following the successful logins, attackers exported device configurations via the GUI to these same IP addresses.
Organizations are urged to immediately apply the available patches. As temporary mitigations, disabling FortiCloud SSO until systems are updated and restricting access to management interfaces of firewalls and VPNs to trusted internal users is recommended.
“While credentials stored in network appliance configurations are typically hashed, threat actors can still crack weak hashes offline using dictionary attacks,” Arctic Wolf warned.
Fortinet users detecting indicators of compromise (IoCs) related to this campaign are advised to assume their devices have been compromised and reset all hashed firewall credentials extracted from the configurations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
