Patched FortiGate Firewalls Still Vulnerable to Hacks
▼ Summary
– Attackers are exploiting a patch bypass for a critical FortiGate authentication vulnerability (CVE-2025-59718) to compromise firewalls that were already updated to supposedly patched versions like 7.4.9.
– Fortinet has reportedly confirmed the vulnerability persists in the latest FortiOS version (7.4.10) and plans to release new versions (7.4.11, 7.6.6, 8.0.0) to fully address the flaw.
– As a temporary mitigation, administrators are advised to disable the vulnerable “Allow administrative login using FortiCloud SSO” feature in their system settings.
– While the FortiCloud SSO feature is not enabled by default, over 11,000 Fortinet devices remain exposed online with it enabled, according to recent tracking data.
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its list of actively exploited flaws, requiring federal agencies to patch within a week.
Organizations relying on Fortinet firewalls face a renewed threat as attackers successfully bypass patches for a critical authentication vulnerability. Security teams are discovering that even devices updated to the latest FortiOS version 7.4.9, and the subsequent 7.4.10, remain susceptible to exploitation. This flaw, tracked as CVE-2025-59718, allows unauthorized administrative access through the FortiCloud single sign-on feature. One system administrator reported a malicious SSO login that created a new local admin account, despite their firewall being patched since late December. The attack patterns, including a specific IP address and user agent, match previous incidents documented by cybersecurity researchers.
Multiple users have confirmed similar breaches, with one noting that Fortinet’s own developer team acknowledged the vulnerability persists in version 7.4.10. The company is reportedly preparing new releases, FortiOS 7.4.11, 7.6.6, and 8.0.0, to fully address the security gap. In the interim, the recommended action is to temporarily disable the “Allow administrative login using FortiCloud SSO” option within the device settings. This can be done through the web interface or via a specific CLI command. While this feature is not enabled by default on non-registered devices, recent scans indicated thousands of systems were still exposed online with it active.
The urgency is underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding this flaw to its catalog of known exploited vulnerabilities, mandating federal agencies to apply patches within a strict timeframe. Concurrently, a separate critical vulnerability in Fortinet’s FortiSIEM product is being actively exploited using publicly available proof-of-concept code, which can grant attackers root-level control over unpatched systems. These developments highlight a challenging period for network defenders, emphasizing the need for vigilant monitoring and proactive mitigation steps beyond vendor-supplied updates.
(Source: Bleeping Computer)
