Arctic Wolf detected malicious SSO logins on FortiGate appliances linked to critical vulnerabilities CVE-2025-59718 and CVE-2025-59719. These vulnerabilities allow unauthenticated access via crafted SAML messages if the FortiCloud SSO feature is enabled. Administrators are urged to reset credentials, restrict access, and upgrade to the latest software versions.

Fortinet has alerted customers that threat actors are exploiting a technique to maintain read-only access to compromised FortiGate VPN devices, even after vulnerabilities have been patched. The attackers create symbolic links in the device's file system, allowing them to access sensitive information despite updates meant to address the initial breaches. A wave of these attacks has been reported since early 2023, prompting Fortinet and CERT-FR to advise affected users to take immediate action to secure their devices.