A bold warning: Fortinet FortiGate devices are being exploited through recently disclosed authentication bypass flaws, just days after public disclosure.
Threat actors have already begun active intrusions by abusing single sign-on (SSO) logins on FortiGate appliances. Arctic Wolf observed these events on December 12, 2025. The exploitation targets two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719) with very high severity (CVSS 9.8). Fortinet released patches last week addressing these issues across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
According to Arctic Wolf Labs, these vulnerabilities permit unauthenticated bypass of SSO login authentication through crafted SAML messages when FortiCloud SSO is enabled on affected devices. While FortiCloud SSO isn’t enabled by default, it becomes active automatically during FortiCare registration unless an administrator disables it using the setting on the registration page labeled “Allow administrative login using FortiCloud SSO.”
In the observed attacks, attackers used IP addresses associated with a small group of hosting providers—The Constant Company LLC, BL Networks, and Kaopu Cloud HK Limited—to perform malicious SSO logins targeting the device’s admin account. After gaining access, the intruders have been seen exporting device configurations through the GUI to the same IPs.
Given the ongoing exploitation, organizations should patch systems as soon as possible. As immediate mitigations, disable FortiCloud SSO until updates are applied, and restrict access to firewall and VPN management interfaces to trusted internal personnel.
Arctic Wolf notes a common attacker tactic: even when credentials are hashed within network appliances, offline cracking can still succeed if credentials are weak or vulnerable to dictionary attacks.
Fortinet customers who detect IoCs consistent with this campaign should presume compromise and reset hashed firewall credentials found in any exfiltrated configurations.
If you found this analysis helpful, follow The Hacker News for more updates on Google News, Twitter, and LinkedIn.
