Fortinet has confirmed a critical vulnerability in its FortiCloud Single Sign-On (SSO) system, known as CVE-2025-59718, remains unpatched despite previous assurances. The announcement follows alarming reports from network administrators who indicated that their fully updated firewalls were compromised. These incidents have raised significant concerns among Fortinet’s customer base, particularly as the attacks appear to exploit a patch bypass that should have been addressed as early as December 2023.
The cybersecurity firm Arctic Wolf reported that the wave of attacks began on January 15, 2024, with threat actors swiftly creating accounts that granted them VPN access and allowed them to steal sensitive firewall configurations almost immediately. The tactics employed in these attacks resemble earlier incidents documented in December, following the disclosure of the CVE-2025-59718 vulnerability.
Fortinet’s Response and Ongoing Investigation
On January 18, 2024, Fortinet acknowledged the ongoing exploitation of CVE-2025-59718, confirming that the current attacks mirror those observed in December. The company stated it is actively working to resolve the issue. Logs shared by affected customers indicate that attackers created administrative accounts following an SSO login attempt from the email address [email protected], associated with the IP address 104.28.244.114. These findings align with indicators of compromise identified by Arctic Wolf during their analysis of the attacks on FortiGate devices.
Carl Windsor, Fortinet’s Chief Information Security Officer, addressed the situation, stating, “Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue. However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.” Windsor assured customers that Fortinet is prioritizing a fix and will issue an advisory once more information is available.
Recommendations for Affected Customers
In light of the ongoing vulnerability, Windsor urged Fortinet customers to take immediate action. He recommended restricting administrative access to edge network devices by applying a local-in policy that limits access to specific IP addresses. Additionally, customers should disable the FortiCloud SSO feature by navigating to System -> Settings -> Switch and toggling off the “Allow administrative login using FortiCloud SSO” option.
Fortinet customers who suspect their systems have been compromised are advised to treat their configurations as vulnerable. They should rotate all relevant credentials, including any LDAP or Active Directory accounts, and restore their systems using known clean configurations.
As of now, the cybersecurity watchdog Shadowserver has identified nearly 11,000 Fortinet devices that remain exposed online with FortiCloud SSO enabled. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its list of actively exploited vulnerabilities on December 16, 2023, and mandated that federal agencies apply necessary patches within a week.
Despite multiple inquiries from various media outlets, including BleepingComputer, Fortinet has yet to respond to requests for further details regarding the continuing attacks and the status of the patch. As the situation develops, affected customers are urged to remain vigilant and follow recommended security protocols to protect their networks.
