Days after admins started reporting that their absolutely patched firewalls are being hacked, Fortinet confirmed it is working to completely handle a crucial FortiCloud SSO authentication bypass vulnerability that ought to have already been patched since early December.
This comes after a wave of experiences from Fortinet clients about menace actors exploiting a patch bypass for the CVE-2025-59718 vulnerability to compromise absolutely patched firewalls.
Cybersecurity firm Arctic Wolf stated on Wednesday that the marketing campaign started on January 15, with attackers creating accounts with VPN entry and stealing firewall configurations inside seconds, in what seem like automated assaults. It additionally added that the assaults are similar to incidents it documented in December, following the disclosure of the CVE-2025-59718 crucial vulnerability in Fortinet merchandise.
On Thursday, Fortinet lastly confirmed these experiences, stating that ongoing CVE-2025-59718 assaults match December’s malicious exercise and that it is now working to completely patch the flaw.
Affected Fortinet clients have additionally shared logs displaying that the attackers created admin customers after an SSO login from cloud-init@mail.io on IP handle 104.28.244.114, which match indicators of compromise detected by Arctic Wolf whereas analyzing ongoing FortiGate assaults and December in-the-wild exploitation, in addition to these shared by Fortinet on Thursday.
“Just lately, a small variety of clients reported surprising login exercise occurring on their gadgets, which appeared similar to the earlier concern. Nonetheless, within the final 24 hours, we’ve recognized quite a lot of circumstances the place the exploit was to a tool that had been absolutely upgraded to the newest launch on the time of the assault, which instructed a brand new assault path,” stated Fortinet Chief Data Safety Officer (CISO) Carl Windsor.
“Fortinet product safety has recognized the problem, and the corporate is engaged on a repair to remediate this prevalence. An advisory shall be issued because the repair scope and timeline is offered. You will need to be aware that whereas, presently, solely exploitation of FortiCloud SSO has been noticed, this concern is relevant to all SAML SSO implementations.”
Fortinet: Limit admin entry, disable FortiCloud SSO
Till Fortinet absolutely addresses the CVE-2025-59718 vulnerability, Windsor suggested clients to limit administrative entry to their edge community gadgets through the Web by making use of a local-in coverage that limits the IP addresses that may entry the gadgets’ administrative interfaces.
Admins must also disable the FortiCloud SSO function on their Fortinet gadgets by going into System -> Settings -> Swap and toggling off the “Permit administrative login utilizing FortiCloud SSO” choice.
Fortinet clients who detect any of the IOCs whereas checking their gadgets for post-exploitation proof are suggested to deal with “the system and configuration as compromised,” rotate credentials (together with any LDAP/AD accounts), and restore their configuration with a identified clear model.
Web safety watchdog Shadowserver now tracks practically 11,000 Fortinet gadgets uncovered on-line which have FortiCloud SSO enabled. CISA additionally added CVE-2025-59718 to its record of actively exploited vulnerabilities on December 16 and ordered federal businesses to patch inside per week.
BleepingComputer reached out to Fortinet a number of occasions this week with questions on these ongoing assaults, however the firm has but to reply.
It is finances season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and examine their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable impression.
