Threat actors are actively exploiting two newly disclosed critical security vulnerabilities in Fortinet FortiGate devices, just days after their public revelation. These zero-day attacks, observed on December 12, 2025, target authentication bypasses that could grant attackers unauthorized access. This rapid exploitation highlights the urgent need for organizations to patch their Fortinet appliances to prevent further network security breaches.
Cybersecurity firm Arctic Wolf reported the active intrusions, which involve malicious single sign-on (SSO) logins. The identified flaws, CVE-2025-59718 and CVE-2025-59719, carry a CVSS score of 9.8, indicating critical severity. Patches for these vulnerabilities were released by Fortinet last week for several of its products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Exploiting FortiGate Authentication Weaknesses
These vulnerabilities allow unauthenticated attackers to bypass SSO login authentication. According to Arctic Wolf Labs, this is achieved by sending specially crafted SAML messages, provided that the FortiCloud SSO feature is enabled on the affected FortiGate devices. While FortiCloud SSO is disabled by default, it can be automatically activated during FortiCare registration unless administrators actively disable it.
The malicious activity observed by Arctic Wolf involved attackers using IP addresses associated with specific hosting providers, including The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited. These attackers targeted the “admin” account to perform the malicious SSO logins. Following successful unauthorized access, the threat actors were seen exporting device configurations via the GUI to these same IP addresses, potentially gathering sensitive system information.
The implications of these network security flaws are significant. Compromised device configurations could expose critical network details, including user credentials, firewall rules, and other sensitive data. Attackers could then leverage this information for further lateral movement within the network, deeper reconnaissance, or to launch more targeted attacks.
Recommendations and Mitigation Strategies
In response to the ongoing exploitation, organizations are strongly advised to apply the available patches from Fortinet as soon as possible. As a critical interim mitigation, it is essential to disable FortiCloud SSO on affected devices until they can be updated to the latest patched versions. Furthermore, limiting access to the management interfaces of firewalls and VPNs to trusted internal users is a crucial step in bolstering network security.
“Although credentials are typically hashed in network appliance configurations, threat actors are known to crack hashes offline, especially if credentials are weak and susceptible to dictionary attacks,” Arctic Wolf stated, underscoring the risk associated with compromised configuration files.
Fortinet customers who identify indicators of compromise (IoCs) consistent with this campaign should assume their systems have been compromised. It is recommended that they proceed to reset any hashed firewall credentials that may have been exfiltrated as part of the exported configurations. This proactive approach is vital to prevent further exploitation and maintain the integrity of the network infrastructure.
The rapid exploitation of these FortiGate vulnerabilities underscores the persistent threat landscape surrounding network security devices. Organizations will likely continue to see evolving attack methods targeting such infrastructure. The focus for affected entities remains on immediate patching and robust access control measures to safeguard against these critical authentication bypasses and prevent potential widespread network compromise. Further research into the specific post-exploitation activities by threat actors will be crucial for developing more comprehensive defense strategies.