Critical Fortinet SSO Vulnerability Exploited to Hijack Firewalls and Gain Admin Access
A critical security flaw in Fortinet’s Single Sign-On (SSO) feature for FortiGate firewalls, identified as CVE-2025-59718, is currently being actively exploited by cyber attackers. This vulnerability enables unauthorized creation of local administrative accounts, granting full control over affected devices.
Vulnerability Overview
CVE-2025-59718 resides within the FortiCloud SSO login mechanism in FortiOS. By exploiting this flaw, remote attackers can authenticate through malicious SSO logins, effectively bypassing standard security controls. This vulnerability persists despite previous patches, allowing privilege escalation on firewalls that utilize SAML or FortiCloud SSO for administrative authentication.
Although an official Common Vulnerability Scoring System (CVSS) score has yet to be assigned, the real-world implications are severe. Attackers have been observed creating backdoor accounts, such as helpdesk, with full system privileges. For exploitation to occur, the devices must be internet-facing with SSO enabled.
Active Exploitation in the Wild
Multiple users have reported identical attack patterns, prompting Fortinet’s Product Security Incident Response Team (PSIRT) to initiate a forensic investigation. Reddit user u/csodes detailed an incident involving a FortiGate 7.4.9 device (specifically, an FGT60F model). A malicious SSO login from a consistent IP address led to the creation of a local administrative account, which was detected through Security Information and Event Management (SIEM) alerts. Victims have confirmed deployments since late December 2025, indicating that earlier versions may also be susceptible.
One organization noted that their Local-In policy script failed, and the device was internet-reachable. Another, utilizing SAML, reported the unauthorized creation of the helpdesk account. Support tickets have been opened, with Fortinet’s developer team confirming the persistence of the issue. Carl Windsor from PSIRT is leading the forensic analysis.
These coordinated attacks suggest a concerted campaign by threat actors targeting unpatched FortiGate devices. Fortinet acknowledges that the issue remains in version 7.4.10, with fixes scheduled for upcoming releases.
In mid-December, the Shadowserver Foundation discovered that over 25,000 Fortinet devices were publicly accessible online, many with the FortiCloud SSO feature activated.
Affected Versions and Scheduled Fixes
The following FortiOS versions are confirmed to be vulnerable:
– 7.4.9: Vulnerable (exploited); fix scheduled for 7.4.11
– 7.4.10: Vulnerable (not fixed); fix scheduled for 7.4.11
– 7.6.x: Vulnerable; fix scheduled for 7.6.6
– 8.0.x: Vulnerable (pre-release); fix scheduled for 8.0.0
Earlier versions may also be affected; users are advised to consult Fortinet’s official advisory for comprehensive information.
Immediate Mitigation Measures
To mitigate the risk of exploitation, administrators are strongly advised to disable FortiCloud SSO logins via the Command Line Interface (CLI) with the following commands:
“`
config system global
set admin-forticloud-sso-login disable
end
“`
This action prevents SSO-based attacks without disrupting local or SAML authentication methods. It is recommended to re-enable this feature only after applying the necessary patches. Fortinet emphasizes the urgency of implementing this workaround, especially for internet-exposed firewalls.
Additional Recommendations
– Audit Logs: Regularly review logs for suspicious SSO login attempts and unauthorized administrative account creations, such as accounts named helpdesk.
– Network Segmentation: Restrict administrative access by enforcing Local-In policies and segmenting network access appropriately.
– Monitoring: Integrate SIEM solutions to monitor for administrative changes and scan for Indicators of Compromise (IoCs), including matching IP addresses and login patterns.
– Patching: Upgrade to the fixed versions upon their release, ensuring thorough testing in a staging environment before deployment.
– Enterprise Response: In the event of a compromise, promptly rotate credentials, isolate affected devices, and engage Fortinet support for assistance.
Fortinet has committed to releasing detailed advisories soon. This incident underscores the inherent risks associated with SSO implementations in firewall systems, highlighting the importance of disabling unnecessary features and maintaining vigilant monitoring practices. Users are encouraged to stay informed for updates on CVSS scores and comprehensive IoCs.
