Fortinet clients are seeing attackers exploiting a patch bypass for a beforehand fastened essential FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
One of many affected admins stated that Fortinet has allegedly confirmed that the most recent FortiOS model (7.4.10) did not absolutely deal with this authentication bypass vulnerability, which ought to’ve been patched in early December with the discharge of FortiOS 7.4.9.
Fortinet can be reportedly planning to launch FortiOS 7.4.11, 7.6.6, and eight.0.0 over the approaching days to totally patch the safety flaw.
“We simply had a malicious SSO login on certainly one of our FortiGate’s operating on 7.4.9 (FGT60F). We now have a SIEM that caught the native admin account being created. Now, I’ve finished some research, and it seems that is precisely the way it seemed when somebody got here in on CVE-2025-59718. However we now have been on 7.4.9 since December thirtieth,” the admin stated.
The client shared logs displaying that the admin person was created from an SSO login of cloud-init@mail.io from IP deal with 104.28.244.114. These logs seemed just like earlier exploitation of CVE-2025-59718 seen by cybersecurity firm Arctic Wolf in December 2025, which reported that attackers have been actively exploiting the vulnerability by way of maliciously crafted SAML messages to compromise admin accounts.
“We noticed the identical exercise. Additionally operating 7.4.9. Identical person login and IP deal with. Created a brand new system admin person named “helpdesk”. We now have an open ticket with assist. Replace: The Fortinet developer group has confirmed the vulnerability persists or isn’t fastened in v7.4.10,” one other one added.
BleepingComputer reached out to Fortinet a number of instances this week with questions on these experiences, however the firm has but to answer.
Till Fortinet supplies a totally patched FortiOS launch, admins are suggested to briefly disable the susceptible FortiCloud login characteristic (if enabled) to safe their programs in opposition to assaults.
To disable FortiCloud login, it’s important to navigate to System -> Settings and change “Enable administrative login utilizing FortiCloud SSO” to Off. Nonetheless, you may also run the next instructions from the command-line interface:
config system international
set admin-forticloud-sso-login disable
finish
Fortunately, as Fortinet explains in its unique advisory, the FortiCloud single sign-on (SSO) characteristic focused within the assaults isn’t enabled by default when the gadget isn’t FortiCare-registered, which ought to scale back the overall variety of susceptible gadgets.
Nonetheless, Shadowserver nonetheless discovered over 25,000 Fortinet gadgets uncovered on-line with FortiCloud SSO enabled in mid-December. In the intervening time, greater than half have been secured, with Shadowserver now monitoring just over 11,000 which are nonetheless reachable over the Web.
CISA has additionally added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its checklist of actively exploited vulnerabilities, ordering federal businesses to patch inside every week.
Hackers are actually additionally actively exploiting a essential Fortinet FortiSIEM vulnerability with publicly obtainable proof-of-concept exploit code that may allow them to realize code execution with root privileges on unpatched gadgets.
Whether or not you are cleansing up outdated keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
