Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.

Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025–59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025–59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company’s FortiCare support service.

As cybersecurity company Arctic Wolf reported on Monday, the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.