Arctic Wolf and FortiGuard Labs have confirmed a massive spike in exploitation of the FortiOS/FortiProxy authentication bypass vulnerabilities (CVE-2025-59718 & CVE-2025-59719) in the last 24 hours. Threat actors are using the cover of high New Year’s Eve network traffic to bypass SSO authentication and hijack admin sessions.
Business Impact
This is a “high-alert” situation for SOC teams tonight. Attackers are betting on reduced staffing during the holiday to gain persistence. Successful exploitation allows unauthenticated attackers to gain “super-admin” access, enabling them to disable logging and deploy ransomware immediately.
Why It Happened
The vulnerability exists in the FortiCloud SSO implementation. Although disabled by default on some versions, it is automatically enabled during FortiCare registration. Attackers are scanning for this specific configuration mismatch at scale.
Recommended Executive Action
IMMEDIATE: Disable FortiCloud SSO login on all FortiGate appliances immediately if you have not patched. Ensure your 24/7 SOC is specifically monitoring for “Admin Login Successful” logs from unknown external IPs tonight.
Hashtags: #Fortinet #FortiGate #NewYearsEve #MassExploitation #CVE202559718 #ArcticWolf #InfoSec