Patched FortiGate Firewalls Still Vulnerable to CVE-2025-59718
▼ Summary
– The critical authentication bypass vulnerability CVE-2025-59718, exploited in December 2025, appears to persist in newer FortiOS versions that were supposed to be fixed.
– Multiple administrators and security firms have reported observing attack activity, including malicious logins and the creation of new admin accounts, on fully patched FortiGate firewalls.
– Attackers exploit the flaw via the FortiCloud SSO path, using malicious SAML responses to gain administrative access and exfiltrate device configurations for persistence.
– The current recommended mitigation is to disable the FortiCloud admin login feature, though its full effectiveness against this new campaign is uncertain.
– Security teams are advised to check logs for indicators of compromise, reset potentially exposed credentials, and restrict management interface access while awaiting updated fixes from Fortinet.
A critical security flaw in Fortinet’s FortiGate firewalls, previously believed to be resolved, continues to pose a significant threat to organizations worldwide. Despite official patches being issued, security researchers and administrators report that the authentication bypass vulnerability, tracked as CVE-2025-59718, remains actively exploitable on systems running supposedly fixed versions of FortiOS. This situation leaves networks vulnerable to complete takeover, as attackers can bypass login protections to create new administrative accounts and steal sensitive configuration data.
The issue came to light when a Fortinet administrator posted on a public forum, detailing a suspicious single sign-on (SSO) login and the creation of a new local admin account on a firewall already upgraded to the patched version 7.4.9. Other users quickly confirmed identical attack patterns on their own patched systems. One respondent noted that Fortinet’s own developer team had acknowledged the vulnerability was not fixed in version 7.4.10, with a correction scheduled for future releases like v7.4.11 and v7.6.6.
Multiple cybersecurity firms have observed this ongoing exploitation. Huntress reported detecting 11 instances in the past month, including one case where the customer was confident their system was fully updated. According to their analysis, attacks are leveraging malicious SAML responses through the FortiCloud single sign-on (SSO) path to bypass authentication, log in as administrators, and export full device configurations. These configurations provide attackers with credentials and a roadmap for establishing long-term persistence on the network.
Arctic Wolf Labs also confirmed a new wave of automated malicious activity targeting FortiGate devices starting in mid-January 2026. While the exact initial access method remains unconfirmed, the pattern is consistent: unauthorized SSO logins lead to configuration exfiltration and the creation of generic admin accounts with names like “helpdesk,” “secadmin,” or “itadmin.” All steps in this attack chain are executed rapidly in succession.
The immediate and most recommended mitigation is to disable the FortiCloud admin login option, either through the system settings or via the command line interface. This was the initial workaround suggested when the vulnerability was first disclosed. Security teams are urged to scrutinize their logs for indicators of compromise, such as logins from suspicious IP addresses associated with hosting providers or the creation of unexpected new user accounts.
If any malicious activity is detected, organizations should immediately assume that any credentials within exfiltrated configuration files are compromised and reset them. Experts further advise limiting management interface access to trusted internal networks only. However, researchers caution that because the full scope of the attack vector is not yet understood, disabling FortiCloud SSO may not offer complete protection. Affected organizations should contact Fortinet support directly for the most current guidance as the situation develops.
(Source: HelpNet Security)
