"Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025. The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8). Patches for the flaws were released by Fortinet last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. "These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected devices," Arctic Wolf Labs said in a new bulletin."
"In the malicious activity observed by Arctic Wolf, IP addresses associated with a limited set of hosting providers, such as The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited, were used to carry out malicious SSO logins against the "admin" account. Following the logins, the attackers have been found to export device configurations via the GUI to the same IP addresses. In light of ongoing exploitation activity, organizations are advised to apply the patches as soon as possible."
Active intrusions exploited two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719) in Fortinet FortiGate devices less than a week after disclosure. Malicious single sign-on (SSO) logins occurred on December 12, 2025, targeting devices with FortiCloud SSO enabled. Patches were released for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Attackers used hosting-provider IP addresses to login as the admin account and exported device configurations via the GUI to those IPs. Organizations should apply patches immediately, disable FortiCloud SSO until updates are installed, and restrict management interface access to trusted users. Exported configurations can expose hashed credentials that may be cracked offline if weak.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]