Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718?
CVE-2025-59718, a critical authentication bypass flaw that attackers exploited in December 2025 to compromise FortiGate appliances, appears to persist in newer, purportedly fixed releases of the underlying FortiOS.
According to Fortinet, CVE-2025-59718 had been fixed in FortiOS versions 7.6.4 or above, 7.4.9 or above, 7.2.12 or above, and 7.0.18 or above.
But on Tuesday, a Fortinet administrator posted on Reddit asking whether other enterprise admins had observed attackers logging in and creating new accounts on FortiGate firewalls that had already been upgraded to address CVE-2025-59718.
The Reddit user said that they spotted a malicious SSO login on one of their FortiGate appliances running on v7.4.9, and their SIEM caught a local admin account being created.
“Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th,” the user noted, and asked for input.
Two separate users replied that they had experienced the same attack activity. After comparing logs, one of them confirmed that they observed the same activity.
“Also running 7.4.9. Same user login and IP address. Created a new system admin user named “helpdesk”. We have an open ticket with [Fortinet] support,” the user shared, then updated their comment to say that “the Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10,” and that it scheduled a fix on the upcoming v7.4.11, v7.6.6 and v8.0.0.
What are security companies seeing?
Shadowserver currently “sees” over 11,000 internet facing FortiNet devices with FortiCloud SSO enabled.
“Huntress has observed active exploitation of CVE-2025-59718 and CVE-2025-59719, both critical authentication bypass vulnerabilities affecting Fortinet products. Through our Managed SIEM telemetry, we have observed threat actors attempting to bypass and obtain administrative access to FortiGate and related devices,” Dray Agha, Senior Manager, Tactical Response at Huntress, told Help Net Security.
“In the last 30 days, we have observed, detected, and reported 11 instances. In the last 7 days, only one customer has advised that they were fully patched and didn’t know how they could have been targeted by this.”
The attacks are coming from mainly from IPs associated with DigitalOcean, Kaopu Cloud HK, and Cloudflare, he shared, and the attack vector in observed all of those cases is the FortiCloud single sign-on (SSO) path.
“Specifically, malicious SAML responses are used to bypass normal authentication and log in as administrative accounts on vulnerable FortiGate appliances. Once authenticated, attackers export full device configuration files, which facilitates credential access and eventual persistence.”
Also on Tuesday, Reid Hutchins, a security engineer at Arctic Wolf, shared on X that they “have observed multiple compromises of fully patched Fortinet firewalls in the last 24 hours that exhibit behavior similar to a CVE disclosed last December.”
When contacted directly, the Arctic Wolf Labs team told Help Net Security that, starting on January 15, 2026, they began observing automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices.
“This activity involved the creation of generic accounts intended for long-term persistence, as well as exfiltration of firewall configurations,” the team shared, and said that the exploitation path for initial access has not been confirmed at this time.
At the moment, the only way to prevent CVE-2025-59718 exploitation seems to be the initial workaround, i.e., the deactivation of the FortiCloud admin login option either via system settings or command line interface.
Fortinet has yet to reply to our questions regarding these reports. We’ll update this article when we know more.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!