Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025. The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8). Patches for the flaws were released by Fortinet last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. "These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected devices," Arctic Wolf Labs said in a new bulletin.
The guidance states admins should treat on-prem Exchange servers as being "under imminent threat," and itemizes key practices for admins: First, it notes, "the most effective defense against exploitation is ensuring all Exchange servers are running the latest version and Cumulative Update (CU)"; It points out that Microsoft Exchange Server Subscription Edition (SE) is the sole supported on-premises version of Exchange, since Microsoft ended support for previous versions on October 14, 2025; It urges admins to ensure Microsoft's Emergency Mitigation Service remains enabled for delivery of interim mitigations; Maintaining a security baseline enables administrators to identify non-conforming systems and those with incorrect security configurations, as well as allowing them to perform rapid remediation that reduces the attack surface available to an adversary;
In July, Microsoft fixed a flaw in its file sharing service SharePoint that was already being exploited by attackers. Later that month, Microsoft warned that hackers were making use of the zero-day to distribute ransomware, adding even more risk to the serious vulnerability. The SharePoint flaw is just one example of attackers becoming faster at exploiting vulnerabilities before they can be properly addressed by vendors and patched by organizations.