InfoSecBulletin Cybersecurity for mankind
Fortinet customers are observing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
One affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn’t fully address this authentication bypass vulnerability, which should’ve been patched in early December with the release of FortiOS 7.4.9.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.
“We just had a malicious SSO login on one of our FortiGate’s running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th,” the admin said.
The customer shared logs showing that the admin user was created from an SSO login of [email protected] from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.
“We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named “helpdesk”. We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10,” another one added.
Admins should temporarily disable the vulnerable FortiCloud login feature until Fortinet releases a fully patched FortiOS.
To disable FortiCloud login, you have to navigate to System -> Settings and switch “Allow administrative login using FortiCloud SSO” to Off. However, you can also run the following commands from the command-line interface:
This prevents SSO-based attacks without disrupting local or SAML auth. Re-enable post-patch. Fortinet urges applying it now, especially for internet-exposed firewalls.
Audit Logs: Review for suspicious SSO logins and new admins (e.g., “helpdesk”).
Network Segmentation: Restrict admin access; enforce Local-In policies.
Monitoring: Integrate SIEM for admin changes; scan for IOCs like matching IPs/logins.
Patching: Upgrade to fixed versions upon release; test in staging.
Enterprise Response: If compromised, rotate credentials, isolate devices, and engage Fortinet support.
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.
Shadowserver now tracking just over 11,000 that are still reachable over the Internet.
