Researchers warn of intrusion activity that was first discovered on Friday targeting Fortinet FortiGate appliances using malicious single sign-on (SSO) logins, according to a blog released Monday from Arctic Wolf.
The threat activity comes about a week after Fortinet disclosed two critical authentication bypass vulnerabilities in multiple products. Fortinet said the flaws were originally discovered by two members of its product security team.
The flaws, tracked as CVE-2025-59718 and CVE-2025-59719, allow an attacker to bypass the FortiCloud SSO authentication using a crafted SAML message if the feature is enabled on the device.
Arctic Wolf originally detected the malicious logins on networks it protects through its managed detection and response service, a spokesperson told Cybersecurity Dive. Arctic Wolf said it originally advised its own customers of the vulnerabilities in a Dec. 10 bulletin and since the malicious logins were detected, it has observed tens of intrusions.
Researchers are still investigating the incidents and do not know who may be behind the threat activity. They added the intrusions “appear to be opportunistic in nature” and not targeting specific companies.
Arctic Wolf researchers have reached out to Fortinet and provided additional technical details about the threat activity. Fortinet did not return a request for comment.
Defused has also detected threat activity, noting that seven different IPs were found exploiting its Fortinet honeypots over the weekend
Fortinet said the FortiCloud SSO feature is not enabled under factory default settings but, when an administrator registers the device from the graphical user interface, the setting is enabled unless an administrator disables a toggle switch that reads: “Allow administrative login using FortiCloud SSO.”
Fortinet said users should temporarily disable the FortiCloud login feature on vulnerable versions until upgrades are applied.
The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog.
Arctic Wolf said if users detect malicious activity, they should reset firewall credentials. It recommends users should also limit firewall management interface access to trusted internal networks