Key Takeaways
- A critical vulnerability (CVE-2025-59718) in Fortinet’s Single Sign-On (SSO) feature for FortiGate firewalls is being actively exploited by attackers.
- The vulnerability allows remote attackers to create unauthorized local admin accounts with full administrative access to internet-exposed devices.
- The flaw affects FortiOS versions 7.4.9, 7.4.10, and potentially prior versions, and is not fully patched yet.
- To mitigate the vulnerability, users can disable FortiCloud SSO logins via CLI, audit logs for suspicious activity, and implement network segmentation and monitoring.
- Fortinet has acknowledged the issue and is working on releasing patches for the affected versions.
Introduction to the Vulnerability
A critical vulnerability in Fortinet’s Single Sign-On (SSO) feature for FortiGate firewalls, tracked as CVE-2025-59718, has been discovered to be under active exploitation by attackers. This vulnerability allows remote attackers to create unauthorized local admin accounts, granting them full administrative access to internet-exposed devices. The flaw affects the FortiCloud SSO login mechanism in FortiOS, enabling attackers to authenticate via malicious SSO logins and bypass standard controls.
Exploitation in the Wild
Multiple users have reported identical attack patterns, prompting Fortinet’s PSIRT forensics team to investigate. The attacks have been observed on FortiGate 7.4.9, with malicious SSO logins from the same IP address triggering the creation of local admin accounts. These attacks have been detected via SIEM alerts, and victims have confirmed that the devices were internet-facing with SSO enabled. The coordinated nature of these attacks suggests a threat actor campaign targeting unpatched FortiGates. Fortinet has acknowledged the issue and confirmed that it persists despite patches, enabling privilege escalation on firewalls using SAML or FortiCloud SSO for admin authentication.
Vulnerability Status and Fix Availability
The vulnerability affects FortiOS versions 7.4.9, 7.4.10, and potentially prior versions. The current status of the vulnerability and the scheduled fix availability are as follows:
- FortiOS 7.4.9: Vulnerable (exploited), fix scheduled for 7.4.11
- FortiOS 7.4.10: Vulnerable (not fixed), fix scheduled for 7.4.11
- FortiOS 7.6.x: Vulnerable, fix scheduled for 7.6.6
- FortiOS 8.0.x: Vulnerable (pre-release), fix scheduled for 8.0.0
It is essential to note that prior versions may also be affected, and users should check Fortinet’s advisory for further information.
Mitigation and Recommendations
To mitigate the vulnerability, users can disable FortiCloud SSO logins via CLI using the following command:
config system global
set admin-forticloud-sso-login disable
end
This prevents SSO-based attacks without disrupting local or SAML authentication. Additionally, users should audit logs for suspicious SSO logins and new admins, restrict admin access, and enforce Local-In policies. Monitoring for IOCs like matching IPs/logins and integrating SIEM for admin changes is also crucial. Once the patches are released, users should upgrade to the fixed versions and test them in a staging environment.
Enterprise Response and Conclusion
If an organization is compromised, it is essential to rotate credentials, isolate devices, and engage Fortinet support. The incident underscores the risks associated with SSO in firewalls and the importance of disabling unnecessary features and monitoring aggressively. Fortinet promises to release advisories soon, and users should stay tuned for the CVSS score and full IOCs. By following the recommended mitigation steps and staying informed, organizations can protect themselves from this critical vulnerability and prevent potential attacks.
