Fortinet, a leading provider of network security appliances like FortiGate firewalls, is facing renewed challenges as the critical authentication bypass vulnerability Fortinet CVE-2025-59718 continues to plague customers—even on devices thought to be fully patched. The issue allows unauthenticated attackers to bypass FortiCloud SSO (Single Sign-On) login via crafted SAML messages, potentially granting full administrative access and enabling rapid configuration theft, account creation, and network compromise.
Originally disclosed in early December 2025, the flaw (along with the related CVE-2025-59719) was supposed to be addressed in updated FortiOS versions. However, as of late January 2026, Fortinet has confirmed that the patch is not fully effective, with ongoing exploitation observed against “fully upgraded” devices. This resurgence highlights persistent risks in SAML-based SSO implementations and serves as a stark reminder of how identity and access management flaws can turn trusted security hardware into entry points for attackers.
Fortinet CVE-2025-59718 Details: A Persistent Authentication Bypass
Fortinet CVE-2025-59718 stems from improper verification of cryptographic signatures (CWE-347) in FortiOS, FortiProxy, FortiSwitchManager, and related products when FortiCloud SSO is enabled. Attackers can submit specially crafted SAML responses to bypass authentication entirely, creating admin accounts (often named something innocuous like “helpdesk”) and exfiltrating sensitive firewall configurations in seconds—often via automated campaigns.
Key details:
- Affected Products: FortiGate firewalls and other devices using FortiCloud SSO or broader SAML SSO.
- Severity: Critical (CVSS likely 9.8+ based on similar flaws).
- Exploitation in the Wild: Active since December 2025, with a new wave starting around January 15, 2026. Attackers from IP addresses like 104.28.244.114 (associated with cloud-init@mail.io) have been observed creating accounts and stealing configs.
- Patch Issues: Initial fixes in FortiOS 7.4.9+, 7.6.4+, etc., were thought sufficient, but reports from customers (and confirmations from Fortinet) show exploitation persisting on the latest releases, suggesting a new attack path or incomplete remediation.
Fortinet’s CISO Carl Windsor stated on January 23, 2026: “In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path. Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence.”
While exploitation has primarily targeted FortiCloud SSO so far, Fortinet warns the issue applies to all SAML SSO implementations, broadening the potential impact.
Why This Matters: Firewalls as Prime Targets
FortiGate devices are cornerstones of many enterprise perimeters, often handling VPN access, traffic inspection, and configuration for critical networks. A compromised firewall provides attackers with:
- Deep visibility into network traffic and configurations.
- Ability to pivot internally or establish persistent access (e.g., via created VPN accounts).
- Leverage for ransomware, data exfiltration, or further attacks.
With Shadowserver tracking over 11,000 internet-exposed Fortinet devices still with FortiCloud SSO enabled (down from 25,000+ in December), the attack surface remains significant. CISA added the CVE to its Known Exploited Vulnerabilities catalog in December 2025, mandating federal patching, yet private-sector exploitation continues unabated.
This isn’t Fortinet’s first brush with SSO-related issues—similar patterns have appeared in prior advisories—but the incomplete patching of Fortinet CVE-2025-59718 underscores the challenges of securing complex authentication flows in widely deployed hardware.
How Black Belt Secure Helps Mitigate These Risks
At Black Belt Secure, we help organizations stay ahead of vulnerabilities like Fortinet CVE-2025-59718 through layered, proactive defenses:
- 24/7 Security Operations Center (SOC) monitoring with AI-driven threat intelligence to detect anomalous logins, admin account creations, or configuration changes in real time—often engaging in under 4 minutes.
- Zero Trust Network Access (ZTNA) and least-privilege configurations to limit the impact of any compromised admin access.
- Penetration Testing & Vulnerability Management focused on edge devices, SSO integrations, and SAML configurations—identifying and remediating exposure before exploitation.
- Incident Response & Recovery planning, including credential rotation, config restoration from clean backups, and forensic analysis if compromise is suspected.
- Jutsu Program & vCISO Services for strategic guidance: maturity roadmaps, regular audits of network appliances, board-level reporting, and Executive-Level Assurance Guarantee to ensure resilient infrastructure.
Immediate steps for Fortinet users (per Fortinet and security researchers):
- Disable FortiCloud SSO immediately (System > Settings > toggle off “Allow administrative login using FortiCloud SSO,” or CLI: config system global set admin-forticloud-sso-login disable end).
- Restrict admin interface access via local-in policies to trusted IPs only.
- Monitor for IOCs (e.g., unexpected SSO logins from suspicious IPs, new admin accounts).
- Assume compromise if indicators match and rotate all credentials while restoring from known-good configs.
Fortinet is actively developing a complete fix—stay tuned for their forthcoming advisory. In the meantime, don’t rely solely on vendor patches; proactive monitoring and hardening are essential.
If your organization uses FortiGate, FortiCloud, or similar SSO-dependent security appliances and you’d like a security posture assessment, vulnerability scan, or simulated attack to test your defenses, contact Black Belt Secure today.
We’re here to help you defend against evolving threats and maintain cyber mastery.