The vulnerability, tracked as CVE-2025-59718, affects internet-exposed devices running the FortiCloud SSO login mechanism and is being used to gain full administrative control.
Multiple organizations have reported identical attack patterns over recent weeks, prompting Fortinet’s Product Security Incident Response Team (PSIRT) to launch a forensics investigation.
Despite available patches, the flaw continues to persist in certain versions, raising urgent concerns for enterprises worldwide.
CVE-2025-59718 targets the FortiCloud SSO login mechanism in FortiOS, enabling remote attackers to bypass authentication controls through malicious SSO login attempts.
Once exploited, threat actors can escalate privileges and create backdoor administrator accounts, typically named “helpdesk” with full system access.
The vulnerability specifically affects firewalls that use SAML or FortiCloud SSO for administrative authentication and are accessible from the internet.
While Fortinet has not yet published a CVSS score, real-world exploitation demonstrates severe risk, with attackers establishing persistent access through these unauthorized accounts.
Security professionals first reported the exploitation on Reddit, with user u/csodes and others detailing incidents on FortiGate 7.4.9 devices, including FGT60F models.
Victims discovered that a single malicious SSO login from a specific IP address triggered the automatic creation of local administrator accounts, which were detected through SIEM alerts.
One security team reported: “Our Local-In policy script failed, and the device was internet-reachable.” Another organization using SAML authentication confirmed the appearance of the suspicious “helpdesk” account.
These attacks began appearing in late December 2025, ruling out older firmware versions as the source.
Fortinet’s developer team has confirmed that the vulnerability remains unpatched in version 7.4.10, with fixes scheduled for upcoming releases.
Carl Windsor from Fortinet PSIRT is leading the forensics effort. The coordinated nature of these attacks suggests an organized threat actor campaign targeting unpatched FortiGate devices.
In mid-December 2025, Shadowserver Foundation discovered that over 25,000 Fortinet devices were publicly accessible with FortiCloud SSO enabled, creating a large attack surface for exploitation.
| FortiOS Version | Vulnerability Status | Fix Availability |
|---|---|---|
| 7.4.9 | Vulnerable (actively exploited) | 7.4.11 (scheduled) |
| 7.4.10 | Vulnerable (unpatched) | 7.4.11 (scheduled) |
| 7.6.x | Vulnerable | 7.6.6 (scheduled) |
| 8.0.x | Vulnerable (pre-release) | 8.0.0 (scheduled) |
Earlier versions may also be affected. Organizations should consult Fortinet’s official advisory for complete version details.
Fortinet has released an urgent workaround to block SSO-based exploitation. Administrators should disable FortiCloud SSO logins immediately via CLI:
textconfig system global
set admin-forticloud-sso-login disable
end
This command prevents SSO-based attacks without disrupting local authentication or SAML configurations. The setting can be re-enabled after applying patches.
Organizations should take the following actions immediately:
Audit Logs: Review system logs for suspicious SSO login attempts and unauthorized administrator accounts, particularly those named “helpdesk.”
Network Segmentation: Restrict administrative access to FortiGate devices and enforce strict Local-In firewall policies.
SIEM Monitoring: Configure alerts for administrator account changes and correlate login attempts from matching IP addresses.
Patch Planning: Prepare to upgrade to fixed versions as soon as Fortinet releases them, testing updates in staging environments first.
Incident Response: If compromise is suspected, immediately rotate all credentials, isolate affected devices, and contact Fortinet support for forensic assistance.
Fortinet is expected to release detailed security advisories soon.
This incident highlights the critical risks associated with SSO implementations in network security appliances and underscores the importance of disabling unused features and maintaining rigorous monitoring practices.
Organizations should watch for updated CVSS scores and indicators of compromise as investigations continue.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Fortinet SSO Flaw Actively Exploited to Compromise Firewalls and Gain Admin Access appeared first on Cyber Security News.
Bucks County Commissioners unanimously approved a proclamation underscoring the importance of Black History month at…
Metacritic has been forced to remove a suspicious-sounding Resident Evil Requiem review published by a…
Sony is reportedly pulling away from PC when it comes to single-player PlayStation games to…
Today marks the 30th anniversary of the Pokémon franchise. With over 1,000 pocket monsters to…
Commissioner of Homeland Security Jeff Long, left, seated next to Tennessee Highway Patrol Col. Matt…
Gov. Bill Lee's administration has proposed a disaster assistance fund -- initially created by the…
This website uses cookies.