Critical Vulnerabilities in Fortinet FortiGate Devices Exploited in Active Attacks
In December 2025, cybersecurity firm Arctic Wolf identified active exploitation of two critical vulnerabilities in Fortinet’s FortiGate devices. These flaws, designated as CVE-2025-59718 and CVE-2025-59719, both carry a severity score of 9.8 out of 10, indicating their critical nature. The vulnerabilities allow unauthenticated attackers to bypass single sign-on (SSO) authentication via crafted SAML messages, provided the FortiCloud SSO feature is enabled on the affected devices.
FortiCloud SSO is disabled by default but becomes active during FortiCare registration unless administrators explicitly disable it. This automatic activation can inadvertently expose systems to potential attacks if not properly managed.
Arctic Wolf’s observations revealed that attackers utilized IP addresses from hosting providers such as The Constant Company LLC, Bl Networks, and Kaopu Cloud HK Limited to perform malicious SSO logins targeting the admin account. Post-login activities included exporting device configurations via the graphical user interface (GUI) to the same IP addresses, suggesting a systematic approach to data exfiltration.
The campaign appears to be in its early stages, with a relatively small number of networks affected. The attacks seem opportunistic, lacking specific targeting patterns. As of now, there is no attribution to any known threat actor groups.
In response to these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16, 2025. Federal agencies are mandated to apply the necessary patches by December 23, 2025, to mitigate potential risks.
Recommendations for Organizations:
1. Immediate Patching: Organizations using FortiGate devices should promptly apply the patches released by Fortinet to address these vulnerabilities.
2. Disable FortiCloud SSO: Until devices are updated, it’s advisable to disable the FortiCloud SSO feature to prevent unauthorized access.
3. Restrict Management Interface Access: Limit access to management interfaces of firewalls and VPNs to trusted internal users to reduce exposure to potential attacks.
4. Credential Management: Given that attackers have been exporting device configurations, it’s crucial to reset any credentials stored in these configurations. Even though credentials are typically hashed, weak passwords can be susceptible to offline cracking attempts.
By implementing these measures, organizations can enhance their security posture and mitigate the risks associated with these vulnerabilities.
