A critical security flaw in Fortinet’s Single Sign-On (SSO) feature for FortiGate firewalls, identified as CVE-2025-59718, is currently being exploited by attackers in the wild.

The vulnerability affects the FortiCloud SSO authentication mechanism used by FortiOS, allowing remote attackers to bypass normal login protections and gain unauthorized access. Threat actors are successfully using this weakness to create local administrative accounts on vulnerable firewalls — effectively granting themselves full control over these devices.

What’s Happening in the Wild

Security researchers and administrators have observed malicious SSO login activity on exposed FortiGate appliances. For example, incidents shared by network operators describe unexpected SSO logins followed by the creation of rogue admin accounts (such as an account labeled “helpdesk”) with complete privileges.

These attacks have occurred even on devices that were believed to be patched, indicating that the flaw either remains in some firmware versions or isn’t fully addressed in certain builds.

Analysis of attack patterns suggests that internet-exposed FortiGate firewalls with FortiCloud SSO enabled are prime targets for this campaign.

Impact and Recommendations

• Administrative takeovers: Successful exploitation lets attackers bypass authentication and assume administrator roles.
• Exposed devices: Security scans indicate that tens of thousands of devices globally with FortiCloud SSO enabled could be at risk.

To mitigate the threat before patch updates are applied, system owners are advised to:

1. Disable FortiCloud SSO login using CLI or management interfaces to block remote malicious authentication attempts.
2. Review firewall audit logs for unusual SSO login events or new admin account creation.
3. Segment network access to restrict administrative interfaces from public access.
4. Apply firmware updates as soon as Fortinet releases fixed versions.

Fortinet’s Product Security Incident Response Team (PSIRT) has acknowledged the issue and is investigating the incidents, with plans to issue further advisories and CVE details.