Arctic Wolf also recently observed an increase in malicious activity aimed at Fortinet FortiGate appliances as of December 12, 2025. Threat actors have recently been taking advantage of two key vulnerabilities in one sign-on (SSO) authentication. These vulnerabilities, CVE-2025-59718 and CVE-2025-59719, are rated Critical severity with a CVSS score of 9.8. The attacks seized on a major vulnerability, actively targeting the ubiquitous “admin” account, which should raise alarm bells for any organizations that use these devices.
Fortinet, in recent days, published patches for these vulnerabilities on different platforms, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. The quick attack on these exploits highlights why it’s so important for admins to install these updates as soon as possible.
Exploitation Details
The intrusions seen by the Arctic Wolf team include specifically-honed SAML messages that allow unauthenticated users to bypass SSO-login authentication. This is true only if the FortiCloud SSO feature is enabled on impacted devices. Arctic Wolf Labs explained what kinds of vulnerabilities they are. According to Fortinet, “These vulnerabilities permit unauthenticated bypass of SSO login authentication through specially crafted SAML messages, provided the FortiCloud SSO feature is enabled on vulnerable devices.”
While FortiCloud SSO is disabled by default, it turns on automatically during FortiCare registration unless administrators take explicit action to disable it. The setting to turn off this feature can be found under the “Allow administrative login using FortiCloud SSO” option on the registration page. This automatic enabling is incredibly powerful and poses an enormous risk if it is not carefully compensated for.
Malicious IP Addresses Identified
Arctic Wolf’s research found thousands of IP addresses associated with only a handful of hosting providers. These other providers were the ones ultimately executing the malicious SSO logins. The Constant Company LLC, Bl Networks, and Kaopu Cloud Hk Limited were just some of those connected to these operations. This indicates that threat actors have been able to use the infrastructure of these hosting providers to execute their attacks.
“Our investigation is ongoing into the origin and nature of this threat activity, and we are not able to attribute the attacks to any specific threat actor group at this time,” Arctic Wolf Labs added regarding their ongoing efforts to assess the situation.
Best Practices for Administrators
Given all of these vulnerabilities, it’s imperative that administrators act quickly. Knowing what systems are connected, and ensuring that the latest patches are applied across all relevant systems is critical. Fortinet recommends that administrators look out for configurations that have FortiCloud SSO enabled. If it is not needed, they should be required to act to remove it.
Arctic Wolf also noted that passwords should be secured inside of appliance configurations for things like firewalls or other network devices. They found that often with network appliance configurations, the configurations hash the credentials. Threat actors that have these hashes can still crack those hashes offline, especially when the credential is weak and susceptible to a dictionary attack. This should be a wakeup call for all organizations to implement strict password policies and regularly audit their security settings.