FortiGate on alert by CVE-2025-59718 FortiCloud SSO continues to explode despite patches and demands to deactivate it now

Network administrators who use FortiGate devices have been on for days: what seemed to be a corrected failure in the authentication of FortiCloud SSO (identified as CVE-2025-59718) is again being exploited to take control of firewalls even in equipment with recent patches. User reports and incident analysis indicate that the update announced as a solution did not completely close the access path, allowing attackers to create remote administrative accounts and manage devices as if they had legitimate credentials.

The situation accumulates several signs of gravity: evidence of active exploitation, records shared by managers and the inclusion of vulnerability in official risk lists. In technical forums, several administrators have published records showing the creation of an administrator user after a SSO login from an account identified as cloud-init @ mail.io and IP address 104.28.244.114, a pattern that coincides with incidents previously detected in December. The same administrators indicate that their devices run versions that should have corrected the failure, suggesting that the original patch did not close all the operating vectors.

Fortinet published a technical note on this incident on its security portal (PSIRT), explaining the scope of the problem and the recommended mitigation; it is the official reference to check affected versions and scheduled updates: Fortinet PSIRT - FG-IR-25-647. For its part, the United States Agency for Infrastructure and Cybersecurity (CISA) already added this entry to its catalogue of actively exploited vulnerabilities, forcing federal agencies to implement measures in short time: CISA - Known Exploited Vulnerabilities (CVE-2025-59718).

One factor that increases risk is public exposure of devices with FortiCloud SSO activated. In December, Shadowserver reported that there were more than 25,000 Internet-accessible devices with this enabled feature; since then several thousand have been deactivated, but there are still more than 11,000 potentially accessible equipment from the public network: Shadowserver - FortiCloud SSO exposed.

While Fortinet prepares new versions of the operating system (FortiOS 7.4.11, 7.6.6 and 8.0.0, according to internal communications and management reports) to finally close the failure, the practical and urgent recommendation for those who may be at risk is to temporarily deactivate the possibility of administrative session by FortiCloud SSO. That functionality is not activated by default on devices that are not registered with FortiCare, but on which it is, it can become the gateway that the attackers are taking advantage of.

If you manage FortiGate, you can deactivate the FortiCloud SSO login from the graphical interface by browsing to System → Settings and by putting the "Allow administrative login using FortiCloud SSO" option on Off. If you prefer the command line, the instructions to deactivate it are simple; run the following commands on the device's CLI:

config global system
set admin-forticloud-sso-login disable
end

Disable that option immediately reduces the attack surface but it's not the only reasonable measure. Local users and access records should be audited to detect new accounts or unusual activity, the IMS or centralized management log should be reviewed to track suspicious SSO start-ups, and any equipment that presents signs of commitment should be quarantined. If you detect administrative accounts that you have not created, isolate them and treat the incident as an intrusion: change passwords, revoke compromised keys and certificates and restore the integrity of the device from verified backup before reconnecting to production.

The security community has already documented operating patterns that point to the sending of SAML messages manipulated as a vector for supplanting and creating accounts with privileges. Previous analysis, disseminated by cybersecurity firms, links the December incidents to embryos of the same modus operandi that is now being observed; therefore it is key not only to apply the temporary blockade, but to keep an eye on new official updates of Fortinet and to apply them as soon as they are confirmed as complete.

Finally, while the main mitigation is technical, there is an important operational dimension: to communicate clearly and quickly to the affected teams, to coordinate with the support of the supplier and, where appropriate, to regulatory entities, and to preserve evidence for forensic analysis. Public communication on these incidents is already circulating in specialized forums - for example, managers have published references and log samples in technical threads - and the authorities and response groups are following development. For more context and official source, check the Fortinet notice and the entry of the CISA catalogue mentioned above.

The immediate lesson for security officials is simple but strong: If your FortiGate has FortiCloud SSO enabled, disable it now and monitor unauthorized access signs until Fortinet publishes and verifies a patch that closes all bypass variants.