A critical vulnerability in Fortinet’s Single Sign-On (SSO) feature for FortiGate firewalls, tracked as CVE-2025-59718, is under active exploitation.
Attackers are leveraging it to create unauthorized local admin accounts, granting full administrative access to internet-exposed devices.
Multiple users have reported identical attack patterns, prompting Fortinet’s PSIRT forensics team to investigate.
CVE-2025-59718 affects the FortiCloud SSO login mechanism in FortiOS. It allows remote attackers to authenticate via malicious SSO logins, bypassing standard controls.
The flaw persists despite patches, enabling privilege escalation on firewalls using SAML or FortiCloud SSO for admin authentication.
No CVSS score is published yet, but real-world impacts are severe: attackers create backdoor accounts like “helpdesk” with full system privileges. Devices must be internet-facing with SSO enabled for exploitation.
Exploitation in the Wild
Reddit user u/csodes and others detailed incidents on FortiGate 7.4.9 (e.g., FGT60F models). A malicious SSO login from the same IP address triggered local admin creation, detected via SIEM alerts. Victims confirmed deployment since late December 2025, ruling out prior versions.
One organization noted: “Our Local-In policy script failed, and the device was internet-reachable.” Another on SAML reported the “helpdesk” account. Support tickets are open, with Fortinet’s developer team confirming persistence. Carl Windsor from PSIRT is leading forensics.
These coordinated attacks suggest a threat actor campaign targeting unpatched FortiGates. Fortinet acknowledges the issue remains in 7.4.10. Fixes are scheduled for upcoming releases.
In mid-December, Shadowserver discovered that more than 25,000 Fortinet devices were publicly accessible online, and notably, many of these had the FortiCloud Single Sign-On (SSO) feature activated.
| FortiOS Version | Vulnerability Status | Fix Availability |
|---|---|---|
| 7.4.9 | Vulnerable (exploited) | 7.4.11 (scheduled) |
| 7.4.10 | Vulnerable (not fixed) | 7.4.11 (scheduled) |
| 7.6.x | Vulnerable | 7.6.6 (scheduled) |
| 8.0.x | Vulnerable (pre-release) | 8.0.0 (scheduled) |
Prior versions may also be affected; check Fortinet’s advisory.
Disable FortiCloud SSO logins via CLI to block exploitation:
textconfig system global
set admin-forticloud-sso-login disable
end
This prevents SSO-based attacks without disrupting local or SAML auth. Re-enable post-patch. Fortinet urges applying it now, especially for internet-exposed firewalls.
- Audit Logs: Review for suspicious SSO logins and new admins (e.g., “helpdesk”).
- Network Segmentation: Restrict admin access; enforce Local-In policies.
- Monitoring: Integrate SIEM for admin changes; scan for IOCs like matching IPs/logins.
- Patching: Upgrade to fixed versions upon release; test in staging.
- Enterprise Response: If compromised, rotate credentials, isolate devices, and engage Fortinet support.
Fortinet promises advisories soon. This incident underscores SSO risks in firewalls, disabling unnecessary features, and monitoring aggressively. Stay tuned for CVSS and full IOCs.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
