Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices. Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on December 12,

2025.

The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-20 25-59719, CVSS scores:

9.8).

Patches for the flaws were released by Fortinet last week for FortiOS, FortiWeb, and FortiProxy. The campaign is still in its early stages, and only a relatively small proportion of monitored networks have been affected, Arctic Wolf Labs said. It's worth noting that while FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration unless administrators explicitly turn it off using the "Allow administrative login using Forti Cloud SSO" setting in the registration page.

On December 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-1918 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to apply the patches as soon as possible and by December 23,

2025.

It is recommended that organizations install the patches on impacted devices due to the continued exploitation activity.