Security researchers are warning of active intrusion attempts targeting Fortinet FortiGate devices, following the discovery of malicious single sign-on (SSO) activity linked to recently disclosed vulnerabilities. The activity was first identified last Friday, according to a new report from Arctic Wolf.
The attacks come shortly after Fortinet disclosed two critical authentication bypass flaws affecting multiple products. The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, allow attackers to bypass FortiCloud single sign-on authentication by abusing specially crafted SAML messages—provided the SSO feature is enabled on the device.
Arctic Wolf said it initially detected the malicious login attempts across environments it monitors through its managed detection and response (MDR) service. The company confirmed it alerted customers about the issue in a December 10 advisory and has since observed multiple confirmed intrusions linked to the activity.
According to researchers, the attacks appear opportunistic rather than targeted. While the investigation is ongoing, there is currently no evidence pointing to a specific threat actor or organized campaign. However, the scale of the activity suggests broad internet scanning and exploitation attempts rather than isolated incidents.
Fortinet acknowledged the issue and explained that the vulnerable FortiCloud SSO feature is not enabled by default. However, it becomes active when administrators register a device through the graphical interface unless the option labeled “Allow administrative login using FortiCloud SSO” is manually disabled.
Security firm Defused also reported observing malicious activity related to the flaw, noting that its Fortinet honeypots recorded exploitation attempts from at least seven distinct IP addresses over a short period.
The Cybersecurity and Infrastructure Security Agency (CISA) has since added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild and urging organizations to take immediate action.
Arctic Wolf advises affected organizations to promptly disable FortiCloud SSO on vulnerable systems until patches are applied. The firm also recommends resetting firewall credentials, restricting administrative access to trusted internal networks, and closely monitoring for signs of unauthorized access.
As investigations continue, security teams are urged to treat this threat as high priority and ensure all Fortinet devices are fully updated and properly configured to reduce exposure.