Fortinet Critical Auth Bypass Flaw Remains Unpatched
▼ Summary
– Fortinet confirmed a critical authentication bypass vulnerability (CVE-2025-59718) is being exploited, despite a patch being issued in December, and is working on a new fix.
– Attackers are using automated attacks to compromise fully patched firewalls, creating VPN accounts and stealing configurations, with activity matching a previous December campaign.
– Fortinet’s CISO advised customers to restrict administrative internet access and disable the FortiCloud SSO feature on devices until a permanent fix is available.
– Thousands of Fortinet devices with FortiCloud SSO enabled remain exposed online, and U.S. cybersecurity agencies have flagged the vulnerability as actively exploited.
– Customers who find evidence of compromise should treat their systems as breached, rotate all credentials, and restore configurations from a clean backup.
A critical security flaw in Fortinet’s single sign-on system continues to pose a significant threat, despite a patch being issued weeks ago. Cybersecurity teams are now reporting that fully updated firewalls are being compromised through a bypass of the original fix, leading to a new wave of automated attacks. The vulnerability, tracked as CVE-2025-59718, allows attackers to bypass authentication on devices using FortiCloud SSO.
Security firm Arctic Wolf observed this latest campaign beginning on January 15th. Attackers are exploiting the patch bypass to create new user accounts with VPN access and steal firewall configurations within seconds. This activity closely mirrors malicious exploits documented in December, immediately following the initial disclosure of the vulnerability.
Fortinet confirmed these reports on Thursday, acknowledging that the ongoing attacks match December’s malicious patterns. The company stated it is developing a new, comprehensive patch to fully address the issue. Customer logs show attackers creating administrative users after an SSO login from a specific suspicious IP address, which aligns with indicators of compromise identified by both Arctic Wolf and Fortinet.
Fortinet’s Chief Information Security Officer, Carl Windsor, explained that recent customer reports of unexpected login activity prompted the investigation. “In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” Windsor stated. He noted that while only exploitation via FortiCloud SSO has been observed, the underlying issue affects all SAML-based SSO implementations within their products.
Until a permanent fix is released, Fortinet advises customers to take immediate defensive actions. The primary recommendations are to restrict administrative access from the internet and to disable the FortiCloud SSO feature entirely. Administrators should apply a local-in policy to limit which IP addresses can reach their devices’ management interfaces. They should also navigate to System -> Settings -> Switch within the device interface and turn off the option for “Allow administrative login using FortiCloud SSO.”
For organizations that find evidence of compromise, the guidance is to assume the system and its configuration are fully compromised. Affected teams must rotate all credentials, including any linked LDAP or Active Directory accounts, and restore device configurations from a known clean backup.
The scope of the exposure is substantial. The Shadowserver Foundation currently tracks nearly 11,000 Fortinet devices exposed online with FortiCloud SSO enabled. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its catalog of known exploited vulnerabilities in mid-December, mandating that federal agencies apply patches within one week. The persistence of active exploitation underscores the urgent need for organizations to implement the recommended workarounds while awaiting a final resolution from the vendor.
(Source: Bleeping Computer)
