Your network's security is under siege, and it's time to take action. A critical vulnerability in Fortinet's FortiGate devices is being actively exploited in the wild, putting countless organizations at risk of unauthorized access and data breaches. But here's the shocking part: attackers are bypassing authentication entirely, gaining administrative control through a seemingly innocuous feature.
Threat actors have set their sights on two specific vulnerabilities, CVE-2025-59718 and CVE-2025-59719, which allow them to perform unauthenticated single sign-on (SSO) logins via malicious SAML messages. This sophisticated attack vector grants them the keys to the kingdom, leaving your sensitive data exposed. And this is the part most people miss: the FortiCloud SSO feature, which is automatically enabled during device registration, is the very gateway attackers are exploiting.
Fortinet disclosed these flaws in December 2025, and Arctic Wolf swiftly followed suit with a security bulletin urging immediate patching. However, the damage was already done, as multiple product lines – including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager – were affected when FortiCloud SSO was enabled. The irony? FortiCloud SSO login is disabled by default in factory settings, but its automatic activation during registration, coupled with administrators' oversight in disabling the 'Allow administrative login using FortiCloud SSO' option, has created a perfect storm for remote exploitation.
Here's where it gets even more alarming: Arctic Wolf has identified a limited set of IP addresses, assigned to providers like The Constant Company LLC and Kaopu Cloud HK Limited, as the source of these attacks. These threat actors are primarily targeting the default 'admin' account, exploiting a common configuration weakness. A sample log from a compromised FortiGate device reveals a successful SSO login, followed by the export of device configurations via the GUI – a clear indication of the attacker's intentions.
The affected versions and their corresponding fixes are as follows:
| Product | Affected Versions | Fixed Version |
| --- | --- | --- |
| FortiOS | 7.6.0 – 7.6.3, 7.4.0 – 7.4.8, 7.2.0 – 7.2.11, 7.0.0 – 7.0.17 | 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+ |
| FortiProxy | 7.6.0 – 7.6.3, 7.4.0 – 7.4.10, 7.2.0 – 7.2.14, 7.0.0 – 7.0.21 | 7.6.4+, 7.4.11+, 7.2.15+, 7.0.22+ |
| FortiSwitchManager | 7.2.0 – 7.2.6, 7.0.0 – 7.0.5 | 7.2.7+, 7.0.6+ |
| FortiWeb | 8.0.0, 7.6.0 – 7.6.4, 7.4.0 – 7.4.9 | 8.0.1+, 7.6.5+, 7.4.10+ |
But is patching enough? While Fortinet has released fixed versions, the question remains: are organizations doing enough to protect themselves? The fact that attackers are targeting weak secrets and exposed management interfaces suggests a need for more comprehensive security measures. As a temporary workaround, disabling FortiCloud SSO is recommended, but it's not a long-term solution. Organizations must prioritize upgrades, restrict management interfaces to trusted networks, and remain vigilant against ongoing threats.
Here's a thought-provoking question for our readers: With the rise of sophisticated attack vectors like these, is it time to re-evaluate our approach to network security? Are we doing enough to protect our critical infrastructure, or are we simply reacting to threats as they emerge? We want to hear from you – share your thoughts and experiences in the comments below, and let's start a conversation about the future of cybersecurity. Don't forget to follow us on social media for daily updates, and stay tuned for more in-depth analysis on this developing story.
