Ravie LakshmananDec 16, 2025Network Security / Vulnerability

Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public disclosure.

Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025. The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8). Patches for the flaws were released by Fortinet last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

"These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected devices," Arctic Wolf Labs said in a new bulletin.

It's worth noting that while FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators explicitly turn it off using the "Allow administrative login using FortiCloud SSO" setting in the registration page.

In the malicious activity observed by Arctic Wolf, IP addresses associated with a limited set of hosting providers, such as The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited, were used to carry out malicious SSO logins against the "admin" account.

Following the logins, the attackers have been found to export device configurations via the GUI to the same IP addresses.

A spokesperson for Arctic Wolf Labs told The Hacker News that the campaign is still in its early stages, adding that only a relatively small proportion of monitored networks have been affected.

"Our investigation is ongoing into the origin and nature of this threat activity, and we are not able to attribute the attacks to any specific threat actor group at this time," it added. "So far, the pattern of activity has appeared to be opportunistic in nature."

In light of ongoing exploitation activity, organizations are advised to apply the patches as soon as possible. As mitigations, it's essential to disable FortiCloud SSO until the instances are updated to the latest version and limit access to management interfaces of firewalls and VPNs to trusted internal users.

"Although credentials are typically hashed in network appliance configurations, threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks," Arctic Wolf said.

Fortinet customers who find indicators of compromise (IoCs) consistent with the campaign are recommended to assume compromise and reset hashed firewall credentials stored in the exfiltrated configurations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on December 16, 2025, added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by December 23, 2025.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SHARE

Share

Authentication, cybersecurity, Firewall, Fortinet, network security, Threat Intelligence, Vulnerability

Trending News

Google Gemini Prompt Injection Flaw Exposed Private Calendar Data via Malicious Invites

Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution

LastPass Warns of Fake Maintenance Messages Targeting Users' Master Passwords

VoidLink Linux Malware Framework Built with AI Assistance Reaches 88,000 Lines of Code

Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations

SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release

ThreatsDay Bulletin: Pixel Zero-Click, Redis RCE, China C2s, RAT Ads, Crypto Scams and 15+ Stories

New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack

TikTok Forms U.S. Joint Venture to Continue Operations Under 2025 Executive Order

Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

CISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to KEV Catalog

New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1–5 CPUs

Popular Resources

Your AI Code Assistant Might Be Spying on You — Here's Proof

Your Google Workspace May Fail Compliance—Get a Free Risk Report

Before Your Next Audit: Discover Every App You've Missed — Try Orchid Today

Your JavaScript May Be Leaking Secrets You Don't Know About