Fortinet Firewalls Remain at Risk: Attackers Bypass Patches for Critical SSO Vulnerability

Fortinet Firewalls Remain at Risk: Attackers Bypass Patches for Critical SSO Vulnerability

Alex Cipher's Profile Pictire Alex Cipher 9 min read

A wave of frustration and alarm has swept through the Fortinet admin community as patched FortiGate firewalls—supposedly protected by the latest firmware—continue to fall victim to sophisticated cyberattacks. The culprit? A critical authentication vulnerability, CVE-2025-59718, that attackers have managed to exploit even after Fortinet’s December 2025 patch release. By manipulating the FortiCloud Single Sign-On (SSO) feature with malicious SAML messages, adversaries are not just bypassing authentication—they’re creating new admin accounts and gaining persistent, high-level access to targeted networks. Real-world incidents, such as the creation of rogue admin accounts from suspicious IP addresses, have been reported on devices running the latest firmware, underscoring the technical prowess and adaptability of these threat actors. The scale of exposure is staggering: at its peak, over 25,000 FortiGate devices with SSO enabled were accessible online, and even after a wave of emergency mitigations, more than 11,000 remain vulnerable as of January 2026 (BleepingComputer). This crisis has prompted urgent advisories from security agencies and a scramble for more robust fixes, highlighting the ongoing cat-and-mouse game between defenders and attackers in the cybersecurity landscape.

How Attackers Are Outsmarting FortiGate Patches: The Technical Lowdown

Exploiting Patch Bypass: The Anatomy of the Attack

Attackers have demonstrated a high level of technical sophistication in bypassing the patches intended to remediate the critical authentication vulnerability tracked as CVE-2025-59718 in FortiGate firewalls. Despite the release of FortiOS 7.4.9 in December 2025, which was supposed to address this flaw, reports indicate that adversaries are leveraging a patch bypass to continue compromising even updated devices (BleepingComputer).

The core of the attack revolves around the exploitation of the FortiCloud Single Sign-On (SSO) feature. Attackers craft malicious SAML messages to trigger the authentication bypass, allowing them to escalate privileges and create administrative accounts on targeted appliances. In one documented case, logs revealed the creation of a local admin account via an SSO login from the email cloud-init@mail.io and the IP address 104.28.244.114, even though the device had been running the patched 7.4.9 firmware since December 30th, 2025. This pattern closely mirrors previous exploitation tactics observed by security researchers at Arctic Wolf, who tracked similar attacks in December 2025.

The technical bypass appears to exploit a gap in the patch logic, enabling unauthorized SSO authentication to persist. Fortinet has acknowledged that the latest release, FortiOS 7.4.10, did not fully remediate the vulnerability, and a more comprehensive fix is anticipated in upcoming versions (7.4.11, 7.6.6, and 8.0.0) (BleepingComputer).

Attack Surface: Scope and Exposure of Vulnerable Devices

The attack surface for this vulnerability is significant, primarily due to the widespread exposure of FortiGate devices with FortiCloud SSO enabled. Although Fortinet clarified that this feature is not enabled by default unless the device is registered with FortiCare, external scans by Shadowserver in mid-December 2025 identified over 25,000 Fortinet devices accessible online with FortiCloud SSO active. By January 2026, this number had decreased to just over 11,000, indicating that more than half of the initially exposed devices had been secured, but thousands remain vulnerable (BleepingComputer).

The urgency of the situation is underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding CVE-2025-59718 to its catalog of actively exploited vulnerabilities and mandating federal agencies to patch affected systems within a week. The continued presence of thousands of exposed devices highlights the scale of the risk and the attackers’ ability to rapidly identify and target unpatched or insufficiently patched systems.

Attackers’ Tactics: Persistence and Lateral Movement

Once attackers gain unauthorized access using the SSO authentication bypass, their tactics often involve creating new administrative accounts to establish persistence. For example, in one reported incident, a new system admin user named “helpdesk” was created by the attacker, allowing ongoing access even if the original exploit vector is later closed (BleepingComputer).

Attackers also leverage their access to disable security controls, exfiltrate sensitive configurations, and potentially pivot to other systems within the network. The ability to execute these actions stems from the high privilege level granted by the compromised SSO authentication process. The creation of local admin accounts and the manipulation of device settings are common post-exploitation steps, enabling attackers to maintain control and evade detection.

Technical Weaknesses in Patch Implementation

The failure of FortiOS 7.4.9 and 7.4.10 to fully mitigate CVE-2025-59718 is rooted in technical weaknesses in the patch implementation. While the specifics of the bypass technique have not been publicly disclosed in detail, available evidence suggests that the patch did not adequately address all vectors by which SAML messages could be manipulated to achieve authentication bypass.

This incomplete remediation allowed attackers to continue exploiting the vulnerability using variations of the original attack method. The persistence of the issue across multiple firmware versions points to challenges in addressing complex authentication logic flaws, especially in features like SSO that interact with external identity providers and protocols such as SAML.

The situation has prompted Fortinet to accelerate the release of additional firmware updates (7.4.11, 7.6.6, and 8.0.0) aimed at closing the remaining gaps. In the interim, Fortinet has advised administrators to disable the FortiCloud SSO feature as a temporary mitigation. This can be accomplished via the device’s command-line interface using the commands:

config system global
set admin-forticloud-sso-login disable
end

or by navigating to System -> Settings and switching “Allow administrative login using FortiCloud SSO” to Off (BleepingComputer).

Attackers’ Use of Automation and Reconnaissance

Attackers have demonstrated the ability to rapidly scan the internet for vulnerable FortiGate appliances, automate exploitation attempts, and adapt to changes in patch status. The large number of devices initially found exposed by Shadowserver suggests the use of automated reconnaissance tools to identify targets with FortiCloud SSO enabled.

Once a vulnerable device is identified, attackers can quickly deploy exploit scripts that deliver malicious SAML payloads to bypass authentication. The speed at which new admin accounts were observed being created on patched devices indicates a high level of automation and operational maturity among the threat actors.

Furthermore, attackers are monitoring vendor advisories and patch releases to adjust their tactics. The exploitation of devices running the latest available firmware (7.4.9 and 7.4.10) demonstrates an awareness of patch timelines and the ability to test and refine exploits against updated systems. This cat-and-mouse dynamic places significant pressure on defenders to implement mitigations promptly and monitor for signs of compromise even after patching.

While the primary focus has been on the CVE-2025-59718 FortiCloud SSO authentication bypass, attackers are also actively targeting other vulnerabilities in Fortinet products. For instance, a critical FortiSIEM vulnerability with publicly available proof-of-concept exploit code is being used to gain root-level code execution on unpatched devices (BleepingComputer). This parallel exploitation campaign highlights the attackers’ strategy of targeting multiple weaknesses simultaneously to maximize their chances of success.

The convergence of multiple active exploits against Fortinet products complicates incident response and underscores the importance of comprehensive patch management and layered defenses. Organizations must not only address the specific CVE-2025-59718 issue but also remain vigilant for other vulnerabilities that may be targeted in coordinated attacks.

Real-World Impact: Observed Incidents and Community Response

The technical sophistication of the attackers is evident in the real-world incidents reported by Fortinet administrators. Multiple organizations have observed unauthorized SSO logins, creation of new admin accounts, and connections from suspicious IP addresses, all occurring on systems believed to be fully patched. These incidents have prompted a surge in support tickets and community discussions, with administrators sharing indicators of compromise and mitigation strategies.

BleepingComputer’s coverage includes direct accounts from affected admins, such as one who reported a malicious SSO login on a FortiGate device running 7.4.9, with their SIEM detecting the creation of a local admin account. Another admin confirmed similar activity on 7.4.9, with the same user login and IP address, and noted that Fortinet’s developer team had acknowledged the persistence of the vulnerability in 7.4.10 (BleepingComputer).

The security community has responded by rapidly disseminating guidance on disabling vulnerable features, sharing detection rules, and tracking the evolution of attacker tactics. The collaborative response has contributed to the reduction in exposed devices but also highlights the ongoing risk as attackers continue to probe for weaknesses.

Implications for Patch Development and Security Best Practices

The ongoing exploitation of CVE-2025-59718 despite multiple patch attempts has significant implications for both vendors and defenders. For vendors like Fortinet, the incident underscores the need for rigorous patch validation, comprehensive testing of authentication logic, and transparent communication with customers regarding the status of vulnerabilities and mitigations.

For defenders, the crisis illustrates the importance of defense-in-depth strategies, including:

  • Disabling unused or non-essential features (such as FortiCloud SSO if not required)
  • Monitoring for anomalous administrative activity (e.g., creation of new admin accounts, logins from unfamiliar IP addresses)
  • Applying patches promptly, but also verifying their effectiveness through testing and monitoring
  • Maintaining an incident response plan to address potential breaches even after patching

The rapid evolution of attacker tactics in response to patch releases highlights the need for continuous vigilance and adaptive security measures.

Summary of Key Technical Insights

  • Attackers are exploiting a patch bypass in FortiGate’s FortiCloud SSO authentication, leveraging crafted SAML messages to gain admin access even on patched systems.
  • Over 25,000 devices were initially exposed online with FortiCloud SSO enabled; as of January 2026, more than 11,000 remain vulnerable.
  • Attackers automate reconnaissance and exploitation, quickly adapting to new patches and creating persistent admin accounts.
  • The incomplete remediation in FortiOS 7.4.9 and 7.4.10 has necessitated further updates, with Fortinet planning additional releases to fully address the flaw.
  • The broader threat landscape includes simultaneous exploitation of other Fortinet vulnerabilities, increasing the complexity of defense.

For ongoing updates and detailed technical advisories, refer to BleepingComputer’s coverage.

Final Thoughts

The ongoing saga of the CVE-2025-59718 patch bypass is a stark reminder that cybersecurity is rarely a one-and-done affair. Attackers’ ability to adapt, automate, and exploit even the latest patches demonstrates the need for layered defenses and continuous vigilance. For organizations relying on FortiGate firewalls, disabling vulnerable features like FortiCloud SSO, monitoring for unusual admin activity, and staying abreast of firmware updates are now non-negotiable best practices. The broader lesson extends beyond Fortinet: as attackers increasingly target authentication logic and exploit patch gaps, both vendors and defenders must prioritize rigorous testing, transparent communication, and rapid incident response. The collaborative efforts of the security community—sharing indicators of compromise, detection rules, and mitigation strategies—have already reduced the number of exposed devices, but the threat remains active. Staying ahead in this high-stakes game requires not just patching, but proactive, adaptive security strategies (BleepingComputer).

References

Related Articles