Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718?

CVE-2025-59718, a critical authentication bypass flaw that attackers exploited in December 2025 to compromise FortiGate appliances, appears to persist in newer, purportedly fixed releases of the underlying FortiOS.

According to Fortinet, CVE-2025-59718 had been fixed in FortiOS versions 7.6.4 or above, 7.4.9 or above, 7.2.12 or above, and 7.0.18 or above.

But on Tuesday, a Fortinet administrator posted on Reddit asking whether other enterprise admins had observed attackers logging in and creating new accounts on FortiGate firewalls that had already been upgraded to address CVE-2025-59718.

The Reddit user said that they spotted a malicious SSO login on one of their FortiGate appliances running on v7.4.9, and their SIEM caught a local admin account being created.

“Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th,” the user noted, and asked for input.

Two separate users replied that they had experienced the same attack activity. After comparing logs, one of them confirmed that they observed the same activity.

“Also running 7.4.9. Same user login and IP address. Created a new system admin user named “helpdesk”. We have an open ticket with [Fortinet] support,” the user shared, then updated their comment to say that “the Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10,” and that it scheduled a fix on the upcoming v7.4.11, v7.6.6 and v8.0.0.

What are security companies seeing?

Shadowserver currently “sees” over 11,000 internet facing FortiNet devices with FortiCloud SSO enabled.

“Huntress has observed active exploitation of CVE-2025-59718 and CVE-2025-59719, both critical authentication bypass vulnerabilities affecting Fortinet products. Through our Managed SIEM telemetry, we have observed threat actors attempting to bypass and obtain administrative access to FortiGate and related devices,” Dray Agha, Senior Manager, Tactical Response at Huntress, told Help Net Security.

“In the last 30 days, we have observed, detected, and reported 11 instances. In the last 7 days, only one customer has advised that they were fully patched and didn’t know how they could have been targeted by this.”

The attacks are coming from mainly from IPs associated with DigitalOcean, Kaopu Cloud HK, and Cloudflare, he shared, and the attack vector in observed all of those cases is the FortiCloud single sign-on (SSO) path.

“Specifically, malicious SAML responses are used to bypass normal authentication and log in as administrative accounts on vulnerable FortiGate appliances. Once authenticated, attackers export full device configuration files, which facilitates credential access and eventual persistence.”

Also on Tuesday, Reid Hutchins, a security engineer at Arctic Wolf, shared on X that they “have observed multiple compromises of fully patched Fortinet firewalls in the last 24 hours that exhibit behavior similar to a CVE disclosed last December.”

When contacted directly, the Arctic Wolf Labs team told Help Net Security that, starting on January 15, 2026, they began observing automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices.

“This activity involved the creation of generic accounts intended for long-term persistence, as well as exfiltration of firewall configurations,” the team shared, and said that the exploitation path for initial access has not been confirmed at this time.

At the moment, the only way to prevent CVE-2025-59718 exploitation seems to be the initial workaround, i.e., the deactivation of the FortiCloud admin login option either via system settings or command line interface.

Fortinet has yet to reply to our questions regarding these reports. We’ll update this article when we know more.

UPDATE (January 22, 2026, 06:55 a.m. ET):

Arctic Wolf has shared more information about this new cluster of automated malicious activity.

“The parameters of initial access details have not been fully confirmed,” the company’s researchers said, but they noted that the malicious SSO logins originated from several hosting providers, and were typically against the cloud-init@mail.io account.

The attackers then exported the configuration via the firewall’s GUI interface, then created a second admin account (“secadmin”, “itadmin”, “support”, “backup”, “remoteadmin”, or “audit”) for persistence. All these steps were performed in quick succession.

Security teams should check their logs for indicators of compromise (IP addresses, created accounts) and get in touch with Fortinet for advice if they find any.

Arctic Wolf researchers advised affected users to assume that hashed firewall credentials stored in exfiltrated configurations have been compromised and to reset them as soon as possible.

“If a vulnerability is later identified and a patch is released for that vulnerability, be sure to reset credentials upon applying the latest patches to guard against the potential of credentials being exfiltrated and used at a later time on fully patched systems,” they noted.

They also urged all users to limit access to management interfaces of network appliances to trusted internal users, and to consider temporarily turning off the FortiCloud SSO login feature (if in use) until Fortinet offers updated remediation information.

Still, they pointed out that, “due to uncertainty around the initial access method in this campaign, it is not known if [disabling FortiCloud SSO login] will be fully effective against the observed activity.”

UPDATE (January 23, 2026, 04:45 a.m. ET):

Fortinet finally acknowledged the situation and said that they have identified a number of cases where an exploit was successfully leveraged against fully upgraded appliances, “which suggested a new attack path”.

“Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations [i.e., third-party ones],” the company added.

In the meantime, they have shared indicators of compromise seen in the attacks, and urged customers to disallow access to the devices’ administration panels from the internet.

“If this is not possible, it is highly recommended to apply a local-in policy to restrict the IP addresses that are able to access the administrative interface. As an additional workaround we recommend disabling the FortiCloud SSO feature. This will prevent abuse via that method but not a third-party SSO system, so this is recommended only in conjunction with the local-in policy,” they added.

Affected customers should:

• Either restore their configuration with a known clean version, or terminate the admin accounts created by the attackers and revert the unauthorized changes to firewall and VPN rules.
• Treat their configuration as compromised and rotate credentials, including any LDAP/AD accounts that may be connected to the FortiGate devices.
• Be on the lookout for updates from Fortinet and implement them when they are released.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!