Rapid7’s IR team investigated exploitation of CVE-2025-59718 that enabled an SSO authentication bypass on FortiGate appliances, which attackers used to create admin accounts, download device configurations, and gain persistent ingress to the internal network. Attackers leveraged Mimikatz, network scanning tools, RDP, and PsExec to move laterally toward high-value systems while responders correlated FortiGate logs and deployed detections to contain the intrusion. #CVE-2025-59718 #FortiGate
Keypoints
- Attackers exploited CVE-2025-59718 to bypass SSO authentication on FortiGate appliances, turning the firewall into an ingress point.
- Initial persistence included enabling SSL VPN, creating multiple administrative accounts, and downloading the device configuration to map the environment.
- Credential theft using Mimikatz enabled lateral movement via PsExec and RDP toward virtualization hosts, domain controllers, and backup systems.
- Investigation required correlating FortiGate system logs, authentication logs, and endpoint telemetry to reconstruct the attack timeline and identify the IAV.
- Multiple external IPs and Namecheap-hosted domains were linked to attacker activity and newly created FortiGate accounts, providing actionable IOCs.
- Rapid7 developed detections for exploitation attempts, config exfiltration, and suspicious SSO logins to help customers identify related activity earlier.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Exploitation of CVE-2025-59718 on FortiGate appliances to bypass SSO and gain administrative access (‘exploitation of CVE-2025-59718 against a vulnerable FortiGate appliance.’)
- [T1136 ] Create Account – Creation of local and SSO administrative accounts on the FortiGate device to establish persistence (‘multiple accounts had been created on the device, including SSO administrator, system administrator, and local accounts.’)
- [T1078 ] Valid Accounts – Use of created/compromised accounts for SSL VPN and RDP authentication to access internal resources (‘administrative SSO logins to the FortiGate appliance with valid accounts.’)
- [T1562 ] Impair Defenses – Modification of firewall policies and configuration to permit attacker access and persistence (‘firewall rules added to allow for attacker access.’)
- [T1003 ] OS Credential Dumping – Use of Mimikatz to harvest credentials from systems and registry hives to obtain elevated credentials (‘Mimikatz was utilized to harvest credentials from various sources within the impacted environment.’)
- [T1016 ] System Network Configuration Discovery – Download of FortiGate configuration files to expose network architecture and authentication settings (‘System config file has been downloaded by user admin via GUI(104.28.227[.]105)’)
- [T1046 ] Network Service Scanning – Execution of network scanning tools (Advanced_Port_Scanner) to enumerate SMB and internal hosts (‘network scanning tools such as Advanced_Port_Scanner to scan internal IP addresses over SMB protocol.’)
- [T1021 ] Remote Services – Use of Remote Desktop Protocol (RDP) for lateral movement into target hosts (‘Use of Remote Desktop Protocol (RDP).’)
- [T1569.002 ] Service Execution – Remote execution of PsExec to test credentials and execute commands on remote systems (‘Remote execution of the sysinternals tool PsExec to test credentials against an impacted system.’)
Indicators of Compromise
- [IP Address ] FortiGate targeting and SSL VPN/authentication activity – 45.32.216[.]250, 104.28.227[.]105, and other 10 IPs
- [Domain ] Attacker account infrastructure and email domains used for account creation – openmail[.]pro, forticloud.com
- [File Name ] Tools and utilities observed on hosts and in logs – mimikatz.exe, advanced_ip_scanner.exe, and 2 more items
- [User Account ] Newly created administrative accounts on FortiGate devices used for persistence – [email protected], local ‘admin’ account present