Days after admins began reporting that their fully patched firewalls are being hacked, Fortinet confirmed it’s working to fully address a critical FortiCloud SSO authentication bypass vulnerability that should have already been patched since early December.
This comes after a wave of reports from Fortinet customers about threat actors exploiting a patch bypass for the CVE-2025-59718 vulnerability to compromise fully patched firewalls.
Cybersecurity company Arctic Wolf said on Wednesday that the campaign began on January 15, with attackers creating accounts with VPN access and stealing firewall configurations within seconds, in what appear to be automated attacks. It also added that the attacks are very similar to incidents it documented in December, following the disclosure of the CVE-2025-59718 critical vulnerability in Fortinet products.
On Thursday, Fortinet finally confirmed these reports, stating that ongoing CVE-2025-59718 attacks match December’s malicious activity and that it’s now working to fully patch the flaw.
Affected Fortinet customers have also shared logs showing that the attackers created admin users after an SSO login from cloud-init@mail.io on IP address 104.28.244.114, which match indicators of compromise detected by Arctic Wolf while analyzing ongoing FortiGate attacks and December in-the-wild exploitation, as well as those shared by Fortinet on Thursday.
“Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue. However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path,” said Fortinet Chief Information Security Officer (CISO) Carl Windsor.
“Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations.”
Fortinet: Restrict admin access, disable FortiCloud SSO
Until Fortinet fully addresses the CVE-2025-59718 vulnerability, Windsor advised customers to restrict administrative access to their edge network devices via the Internet by applying a local-in policy that limits the IP addresses that can access the devices’ administrative interfaces.
Admins should also disable the FortiCloud SSO feature on their Fortinet devices by going into System -> Settings -> Switch and toggling off the “Allow administrative login using FortiCloud SSO” option.
Fortinet customers who detect any of the IOCs while checking their devices for post-exploitation evidence are advised to treat “the system and configuration as compromised,” rotate credentials (including any LDAP/AD accounts), and restore their configuration with a known clean version.
Internet security watchdog Shadowserver now tracks nearly 11,000 Fortinet devices exposed online that have FortiCloud SSO enabled. CISA also added CVE-2025-59718 to its list of actively exploited vulnerabilities on December 16 and ordered federal agencies to patch within a week.
BleepingComputer reached out to Fortinet several times this week with questions about these ongoing attacks, but the company has yet to respond.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.