Attackers are exploiting a patch bypass in a FortiGate authentication vulnerability (CVE-2025-59718) to create admin accounts on devices that were thought to be patched, and Fortinet has acknowledged 7.4.10 did not fully fix the issue. Admins are advised to disable FortiCloud SSO or apply upcoming FortiOS fixes while Shadowserver and CISA report thousands of exposed devices and active exploitation; a separate FortiSIEM vulnerability with public PoC is also being abused. #CVE-2025-59718 #FortiCloudSSO
Keypoints
- Attackers are exploiting an authentication bypass (CVE-2025-59718) to create admin accounts on FortiGate devices, including systems running 7.4.9 and 7.4.10.
- Fortinet reportedly confirmed 7.4.10 did not fully remediate the vulnerability and plans to release FortiOS 7.4.11, 7.6.6, and 8.0.0.
- Administrators should disable FortiCloud SSO via System → Settings or the CLI (config system global; set admin-forticloud-sso-login disable; end) until a complete patch is available.
- Shadowserver found over 25,000 devices with FortiCloud SSO enabled in mid‑December, with roughly 11,000 still reachable online.
- CISA added CVE-2025-59718 to its actively exploited vulnerabilities list and ordered rapid patching, and a separate FortiSIEM flaw with public proof‑of‑concept code is also being exploited.