Threat actors were observed exploiting two critical 9.8 flaws in Fortinet FortiGate next-generation firewalls less than a week after public disclosure.A Dec. 15 blog post by Arctic Wolf researchers said they observed active intrusions involving malicious single sign-on (SSO) logins on the FortiGate firewalls as recent as Dec. 12.Patches for the two flaws — CVE-2025-59718 and CVE-2025-59719 — were released by Fortinet Dec. 9 for FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager; CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog yesterday on Dec. 16.With this latest news of active exploitation in just a few short days, security pros said time was of the essence.“Teams must move fast because the risk of exploitation is directly tied to how quickly the Fortinet devices can be patched,” said John Gallagher, vice president of Viakoo Labs. “Teams need to have an up-to-date and comprehensive asset inventory to quickly locate vulnerable devices.”
Related reading:
Gallagher added that because it’s a next-generation firewall device, FortiGate customers may have it deployed across a wide range of scenarios. Organizations with large fleets of IoT/OT/ICS devices should stay especially alert, said Gallagher, as these devices may not often show indicators of compromise and could wind up being the next step in an evolving attack campaign. Gary Orenstein, chief customer officer at Bitwarden, said as Arctic Wolf noted in its Fortinet investigation, even when credentials are stored in hashed form, weak or reused passwords remain vulnerable to offline cracking through dictionary-based attacks. Orenstein said once attackers exploit an authentication bypass and export device configurations, those hashed credentials often become a second-stage target.“At that point, the issue is no longer just the initial SSO flaw,” said Orenstein. “Weak, predictable, or reused administrative credentials can turn a single compromise into broader access across infrastructure and identity systems, enabling lateral movement and persistence."Orenstein said here’s where good credential habits become a practical security control, not just a best practice: teams must use strong and unique credentials, supported by a password manager to significantly reduce the effectiveness of dictionary and brute force attacks against exfiltrated hashes. From a response standpoint, Orenstein said security teams should also treat exposed configurations as full compromise and reset all associated credentials immediately.
Nevan Beal, principal MDR analyst at Blackpoint Cyber, said edge appliances are attractive targets for threat actors because a compromise can offer a direct foothold for follow-on activity such as credential harvesting, lateral movement, and long-term persistence. For organizations, Beal said running an unpatched edge device is not just falling behind on updates: it can create an open door for attackers.“Attackers are increasingly prioritizing the theft of credentials so they can quietly re-enter an environment later,” said Beal. “Once they have valid usernames, passwords, or VPN secrets, patching the underlying vulnerability may not remove the threat, because they can simply authenticate through the appliance as intended and move into the internal network to pursue their objectives.”In the case of FortiGate appliances, Beal said stolen credentials can enable persistent VPN access, administrative control of the device, and credential reuse to facilitate lateral movement to other systems. It’s how a single compromised device or set of credentials can rapidly escalate into an enterprise-wide compromise.Here are some tips Beal offers to security teams:Ismael Valenzuela, vice president of labs, threat research and intelligence at Arctic Wolf, added that teams can reduce exposure by strictly limiting management access to Fortinet edge devices in line with Fortinet’s hardening recommendations.Valenzuela said this standard best practice helps shrink the attack surface for this issue and future ones.“Given that hundreds of thousands of Fortinet appliances are accessible on the public internet via specialized search engines, opportunistic attempts can scale quickly - so swift hardening and close monitoring of abnormal login activity are critical,” said Valenzuela.
- Ensure all appliances are patched and up-to-date.
- Assume the organization's credentials are compromised. Reset and rotate VPN credentials, firewall administrative passwords, and any associated secrets, and enable and enforce MFA.
- Review telemetry for indicators of misuse, including anomalous administrative logins, unexpected configuration changes, newly established VPN sessions, and access occurring outside normal business hours; implement continuous monitoring for anomalous VPN connections.
- Reduce exposure by restricting firewall management access to approved sources only and strengthen containment by segmenting internal networks to limit lateral movement.
