**Hackers Exploit Critical Fortinet Flaws Just Days After Patch Release**

The cybersecurity landscape is once again marred by a critical vulnerability in a popular security product, leaving organizations scrambling to protect themselves from potential attacks. Threat actors have begun exploiting two critical flaws in Fortinet products, tracked as CVE-2025-59718 and CVE-2025-59719, just days after the vendor released patches.

The vulnerabilities, which have a CVSS score of 9.1, affect multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud SSO is enabled. An improper verification of cryptographic signature issue allows an unauthenticated attacker to bypass FortiCloud SSO login using a crafted SAML message if the feature is enabled.

FortiCloud SSO is not enabled by default but activates automatically during FortiCare registration unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page. This means that administrators may unintentionally enable the feature, leaving their organizations vulnerable to attacks.

The vendor recommends disabling the FortiCloud login feature (if enabled) until upgrading to a non-affected version as a temporary mitigation. The vulnerabilities were internally discovered and reported by Yonghui Han and Theo Leleu of the Fortinet Product Security team.

**Threat Actors Exploit Flaws with Malicious SSO Logins**

Arctic Wolf researchers have observed attackers exploiting these critical flaws on December 12, just three days after patches were issued. The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers.

After gaining access, the attackers exported device configurations via the GUI, which includes hashed credentials that threat actors can attempt to crack offline, increasing the risk of further compromise.

**Experts Warn of Increased Risk of Compromise**

"In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter," the experts reported.

The recent intrusions involved malicious SSO logins to FortiGate devices originating from a small set of hosting providers. Attackers primarily targeted the admin account, successfully authenticating via SSO from specific IP addresses. After gaining access, they used the FortiGate GUI to download device configuration files, exporting them to the same source IPs.

**Experts Urge Administrators to Take Immediate Action**

Arctic Wolf warns that administrators should check for signs of compromise, reset credentials if needed, and restrict firewall management access to trusted networks. The vendor has released patches across multiple FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb versions.

Fortinet advises disabling FortiCloud SSO admin login to mitigate exploitation risks. Administrators are urged to take immediate action to protect themselves from potential attacks.

**Timeline of Events**

* December 9, 2025: Fortinet releases an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) * December 12, 2025: Arctic Wolf begins observing intrusions involving malicious SSO logins on FortiGate appliances * December 12, 2025: Threat actors exploit critical flaws just days after patch release

**Recommendations**

* Administrators should check for signs of compromise and reset credentials if needed * Restrict firewall management access to trusted networks * Disable FortiCloud SSO admin login to mitigate exploitation risks * Upgrade to non-affected versions as soon as possible