Fortinet confirmed it is working to fully address a critical FortiCloud SSO authentication bypass (CVE-2025-59718) after admins reported fully patched FortiGate firewalls being compromised. Security firms observed automated attacks that created VPN-enabled admin accounts and stole firewall configurations within seconds, and Fortinet advised restricting admin access and disabling FortiCloud SSO while a fix is developed. #Fortinet #CVE-2025-59718
Keypoints
- Fortinet acknowledged ongoing exploitation of a FortiCloud SSO authentication bypass tied to CVE-2025-59718 and is working on a remediation.
- Attackers appear to be conducting automated campaigns that create admin/VPN accounts and exfiltrate firewall configurations within seconds.
- Arctic Wolf and customer logs link the activity to IOCs such as [email protected] and IP 104.28.244.114, matching December incidents.
- Fortinet recommends restricting internet-facing administrative access with local-in policies and disabling the FortiCloud SSO feature until patched.
- Shadowserver reports nearly 11,000 Fortinet devices with FortiCloud SSO exposed online, and CISA has marked CVE-2025-59718 as actively exploited.