Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9. Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw. "We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th," the admin said. The customer shared logs showing that the admin user was created from an SSO login of [email protected] from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts. "We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named "helpdesk". We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10," another one added. BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply.
Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.
To disable FortiCloud login, you have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface:
config system global set admin-forticloud-sso-login disable end
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.
However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.
CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.
Hackers are now also actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.