Threat actors aren’t wasting time taking advantage of newly-revealed vulnerabilities in Fortinet device authentication.
Researchers at Arctic Wolf said they are seeing malicious single sign on (SSO) attempts trying to leverage the holes in FortiGate next generation firewalls since Fortinet alerted admins about the vulnerabilities on December 9.
“We have seen tens of intrusions since December 12, 2025,” a spokesperson for Arctic Wolf Labs told CSO. “So far, the pattern of activity has appeared to be opportunistic in nature. While it is difficult to estimate the number of devices directly vulnerable to this vulnerability, there are hundreds of thousands of Fortinet appliances accessible on the public internet through specialized search engines. This allows threat actors to opportunistically attempt exploitation against large swaths of devices at once.”
Arctic Wolf’s advisory says admins who see malicious activity in their logs should assume that hashed firewall credentials stored in the exfiltrated configurations have been compromised, and reset those credentials “as soon as possible.”
On Tuesday, the US Cybersecurity and Infrastructure Security Agency added one of the vulnerabilities, CVE-2025-59718, to its Known Exploited Vulnerabilities (KEV) catalog. If a flaw is listed in the catalog, federal civilian executive branch agencies have to immediately remediate the affected product or service. CISA says that any listing should also be seen by private sector IT departments as a warning to prioritize their own remediation or patching.
Among other things, hackers exploiting the vulnerabilities could access Fortinet device configuration files to accelerate a breach of security controls.
The authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, are in the Fortinet FortiOS operating system that runs FortiWeb, FortiProxy and FortiSwitchManager devices. If exploited, they may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication, if that feature is enabled on the device.
For some admins, it may have been unknowingly turned on; when administrators register devices using the FortiCare product support portal, FortiCloud SSO is automatically enabled unless they disable the “Allow administrative login using FortiCloud SSO” setting on the registration page.
To prevent being affected by this vulnerability, admins should turn off the FortiCloud login feature, if enabled, then upgrade software to the latest version before re-enabling the function.
Fortinet acted quickly to patch the authentication bypass vulnerabilities, said Piyush Sharma, CEO of Tuskira, a vulnerability platform provider.
“However,” he added, “the speed at which threat actors exploit newly discovered flaws continues to outpace traditional patch cycles, underscoring the critical need for agentic AI systems that provide continuous, real-time exposure management and autonomous threat response.”
He noted that any configuration files that have been exfiltrated could allow hackers to map network architecture and identify vulnerable interfaces and points of failure to be used in targeted attack campaigns or exploitation, and weak passwords could be cracked offline and allow attackers to pass as legitimate users and move laterally across networks. “The combination of this information sets the stage for potentially dangerous and highly precise cyberattacks, which could lead to data theft or even total network compromise,” he warned.
Vulnerable organizations that haven’t implemented Fortinet’s released patches should do so immediately, he said.
As well, all organizations should practice credential rotation and implement principles of least privilege to prevent data from being unnecessarily leaked, he added.
Beyond following Fortinet’s advice on upgrading its device software, Arctic Wolf also urges admins to follow the manufacturer’s best practices for hardening its devices.
No Responses