Your network security is under siege, and it’s happening faster than you might think. Just days after their public disclosure, two critical vulnerabilities in Fortinet FortiGate devices are already being actively exploited by threat actors. This alarming development highlights the urgent need for organizations to act swiftly to protect their systems. But here’s where it gets even more concerning: the attacks are bypassing SAML-based Single Sign-On (SSO) authentication, a method many rely on for secure access. Cybersecurity firm Arctic Wolf sounded the alarm on December 12, 2025, after detecting malicious SSO logins targeting FortiGate appliances. These attacks leverage two high-severity flaws—CVE-2025-59718 and CVE-2025-59719 (both with a CVSS score of 9.8)—which allow unauthenticated users to bypass SSO authentication using crafted SAML messages, provided the FortiCloud SSO feature is enabled. And this is the part most people miss: while FortiCloud SSO is disabled by default, it’s automatically turned on during FortiCare registration unless administrators manually disable it. This oversight could leave many organizations unknowingly exposed. Arctic Wolf observed malicious logins targeting the 'admin' account, originating from IP addresses linked to hosting providers like The Constant Company LLC, Bl Networks, and Kaopu Cloud Hk Limited. Post-login, attackers exported device configurations via the GUI to these same IPs, potentially compromising sensitive data. Fortinet has released patches for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, but the rapid exploitation underscores the critical need to apply these updates immediately. As a temporary mitigation, organizations should disable FortiCloud SSO until their systems are fully patched and restrict firewall and VPN management access to trusted internal users. But here’s the controversial part: even hashed credentials, which are typically considered secure, can be cracked offline by determined attackers, especially if passwords are weak. This raises a thought-provoking question: Are we doing enough to enforce strong password policies and protect against dictionary attacks? For Fortinet customers, the stakes are clear: if indicators of compromise (IoCs) are detected, assume breach and reset all hashed firewall credentials stored in exfiltrated configurations. This situation serves as a stark reminder of the ever-evolving threat landscape and the importance of proactive security measures. Found this eye-opening? Stay ahead of the curve by following us on Google News, Twitter, and LinkedIn for more exclusive insights and updates.
