In-the-Wild Exploitation of Fresh Fortinet Flaws Begins

Threat actors have started exploiting two recent Fortinet vulnerabilities only days after patches were released, Arctic Wolf warns.

The two flaws, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.8), are described as improper verification of cryptographic signature issues impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Fortinet rolled out fixes for the two bugs on December 9, warning that they can be exploited via crafted SAML response messages to bypass the FortiCloud SSO login authentication.

While disabled in default factory settings, SSO login authentication is enabled when an administrator registers a new device to FortiCare, unless they specifically disable the feature from the registration page.

Arctic Wolf says it observed threat actors exploiting the critical-severity authentication bypass defects starting December 12, only three days after patches were released.

As part of the observed intrusions, the malicious SSO logins on FortiGate devices typically targeted the admin account and originated from multiple ...