Threat actors began exploiting two newly disclosed security flaws in Fortinet FortiGate devices less than a week after they were made public.
Cybersecurity company Arctic Wolf announced that it observed an active intrusion involving a malicious single sign-on (SSO) login on a FortiGate appliance on December 12, 2025. The attack exploited two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719, CVSS score: 9.8). A patch for this flaw was released by Fortinet last week for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
“These vulnerabilities could allow unauthenticated bypass of SSO login authentication via a crafted SAML message if FortiCloud SSO functionality is enabled on an affected device,” Arctic Wolf Labs said in a new security bulletin.
FortiCloud SSO is disabled by default, but your administrator can enable it on the registration page.[FortiCloud SSO を使用した管理ログインを許可する]Please note that it is automatically enabled during FortiCare enrollment unless you explicitly turn it off using settings.
In the malicious activity observed by Arctic Wolf, IP addresses associated with a limited number of hosting providers, including The Constant Company llc, Bl Networks, and Kaopu Cloud Hk Limited, were used to perform malicious SSO logins to “administrator” accounts.
After logging in, the attacker was found to export the device configuration to the same IP address via the GUI.
Given the ongoing exploit activity, organizations are encouraged to apply the patch as soon as possible. As a mitigation, it is important to disable FortiCloud SSO until the instance is updated to the latest version, and to restrict access to the firewall and VPN management interfaces to trusted internal users.
“Typically, credentials are hashed in the network appliance configuration, but attackers have been known to decrypt the hashes offline, especially when the credentials are weak and susceptible to dictionary attacks,” said Arctic Wolf.
Fortinet customers who find indicators of compromise (IoCs) that match a campaign are encouraged to assume a compromise and reset hashed firewall credentials stored in the extracted configuration.
Source link
