A critical Fortinet SSO vulnerability, CVE-2025-59718, is being actively exploited against systems believed to be patched, with breaches reported on FortiOS 7.4.9. Administrators are urged to disable FortiCloud SSO via CLI and audit for unauthorized forticloud-sso logins, new admin accounts, and configuration exports to mitigate the persistent “Zombie” vulnerability. #CVE-2025-59718 #FortiOS
Keypoints
- The CVE-2025-59718 SAML bypass allows unauthenticated attackers to circumvent FortiGate authentication.
- Active exploitation has been observed on devices running FortiOS 7.4.9 despite the published patch.
- Attackers commonly gain access via FortiCloud SSO and create persistent local admin accounts like “helpdesk.”
- Immediate mitigation: run the CLI command to disable admin-forticloud-sso-login on all FortiGate units.
- Audit logs for forticloud-sso logins, unexpected admin user creation, and configuration exports as primary IOCs.
Read More: https://thecyberexpress.com/active-exploits-on-fixed-fortios-749-firmware/