On December 12, 2025, Arctic Wolf reported an uptick in malicious SSO logins targeting FortiGate appliances. These intrusions followed the discovery of two serious vulnerabilities (CVE-2025-59718 and CVE-2025-59719) announced by Fortinet on December 9, 2025. The vulnerabilities allow unauthenticated users to bypass SSO login authentication through specially crafted SAML messages when the FortiCloud SSO feature is enabled. Fortinet’s advisory highlighted that this feature is enabled by default during device registration via FortiCare unless explicitly disabled. The malicious logins primarily targeted the admin accounts, with activity traced back to specific IP addresses from a few hosting providers. Once compromised, attackers were able to download system configurations through the device's GUI. Arctic Wolf noted that, despite credentials being hashed, threat actors can crack weak hashes, making it essential for affected users to reset their firewall credentials immediately. To mitigate risks, Arctic Wolf recommends limiting access to firewall management interfaces to trusted internal users and upgrading to the latest secured versions of affected Fortinet products. Specific versions that need upgrading include FortiOS 7.6.0 through 7.6.3, which should be updated to 7.6.4 or higher. Fortinet also suggests disabling the FortiCloud login feature temporarily until users can upgrade to a non-vulnerable version.