Patched Fortinet Firewalls Breached in 2026: Authentication Bypass Exposes Enterprise Networks
Executive Summary
In January 2026, patched FortiGate firewalls running FortiOS versions 7.4.9 and 7.4.10 were actively breached due to exploitation of a lingering authentication bypass flaw (CVE-2025-59718) in the FortiCloud SSO login feature. Despite an earlier patch, attackers utilized crafted SAML messages to create rogue admin accounts on exposed devices, as observed in customer logs and confirmed by Fortinet developers. More than 11,000 Internet-facing Fortinet devices remained vulnerable as attackers leveraged the flaw to gain privileged access and potentially compromise network defenses, triggering urgent remediation efforts.
This incident underscores persisting risks from incomplete remediation, especially on security appliances pivotal to organizational defenses. Growing attacker expertise in exploiting authentication logic flaws and a surge in identity-based attacks highlight the necessity for ongoing vigilance, layered compensating controls, and rapid vulnerability response strategies.
Why This Matters Now
Organizations are at risk because a critical authentication bypass vulnerability remains unaddressed on thousands of Internet-exposed devices, even after official patches. Attackers are exploiting trusted firewall infrastructure, demonstrating that delayed or incomplete remediation can expose enterprise networks to rapid compromise and regulatory scrutiny.
Attack Path Analysis
Attackers exploited an authentication bypass (CVE-2025-59718) via malicious SAML messages to gain unauthorized FortiGate admin access. They created new privileged accounts and potentially modified configuration for persistence. While no evidence of internal pivoting emerged, attackers could have explored or moved laterally within the network if segmentation was insufficient. Ongoing attacker control may have enabled C2 or further actions, and defenders remain concerned about potential unauthorized data exfiltration. The full operational or business impact appears limited but could escalate absent additional controls.
Kill Chain Progression
Initial Compromise
Description
Exploitation of a FortiGate SSO authentication bypass vulnerability (CVE-2025-59718) via crafted SAML messages allowed attackers to gain initial privileged access.
Related CVEs
CVE-2025-59718
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet products allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML response messages.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, 7.0.0 through 7.0 ... 21
Fortinet FortiSwitchManager – 7.2.0 through ... 6, 7.0.0 through ... 5
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML response messages.
Affected Products:
Fortinet FortiWeb – 7.6.0 through ... , 7.4.0 through ... , 7.2.0 through ... , 7.0.0 through ... , 8.0.0 through ...
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
This baseline MITRE ATT&CK mapping highlights key exploitation, persistence, and evasion TTPs associated with the documented authentication bypass in FortiGate devices. Additional enrichment may follow for improved STIX/TAXII contextualization.
Exploit Public-Facing Application
Modify Authentication Process: Web Portal
Create Account
Valid Accounts
Phishing: Spearphishing via Service
Use Alternate Authentication Material: Pass the Hash
OS Credential Dumping
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Enforce Strong Authentication and Access Controls
Control ID: Identity Pillar: Authentication & Access Control
NIS2 Directive – Security in Network and Information Systems
Control ID: Article 21 (2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Critical authentication bypass vulnerability in FortiGate firewalls directly compromises security infrastructure, enabling unauthorized administrative access and potential complete network takeover through SSO exploitation.
Financial Services
Authentication bypass attacks on financial network perimeters threaten PCI compliance, enable lateral movement for payment data exfiltration, and compromise encrypted traffic protection mechanisms.
Government Administration
Federal agencies face CISA-mandated patching deadlines for FortiGate vulnerabilities, with authentication bypass risks exposing classified networks to unauthorized administrative access and data breaches.
Health Care / Life Sciences
Healthcare networks using FortiGate firewalls face HIPAA compliance violations through authentication bypass attacks, compromising patient data protection and enabling unauthorized access to medical systems.
Sources
- Fortinet admins report patched FortiGate firewalls getting hackedhttps://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/Verified
- Fortinet FortiOS CVE-2025-59718: Improper Verification of Cryptographic Signaturehttps://www.rapid7.com/db/vulnerabilities/fortios-cve-2025-59718/Verified
- Fortinet FortiWeb CVE-2025-59719: Improper Verification of Cryptographic Signaturehttps://www.rapid7.com/db/vulnerabilities/fortiweb-cve-2025-59719/Verified
- Authentication Bypass in Multiple Fortinet Products (CVE-2025-59718)https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/cve-2025-59718-fortinet-auth-bypassVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, identity-aware controls, and egress enforcement would have prevented unauthorized admin access from spreading, limited internal pivoting, and blocked potential data exfiltration—even in the presence of an unpatched authentication bypass. Distributed policy enforcement and cloud-native inspection raise detection and response efficacy at each phase.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline enforcement detects and blocks known exploit traffic targeting management interfaces.
Control: Zero Trust Segmentation
Mitigation: Least-privilege segmentation restricts unauthorized privilege increases.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are blocked by enforcing strict workload-to-workload policies.
Control: Multicloud Visibility & Control
Mitigation: Unusual admin behaviors or remote management activity are detected and alerted promptly.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data exfiltration is prevented by real-time egress filtering.
Critical management and policy change attempts are monitored and constrained.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- User Authentication Services
- Remote Access Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of administrative credentials and configuration data, leading to unauthorized access and control over network security devices.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately disable vulnerable SSO login features or limit exposure of management interfaces to trusted networks only.
- • Enforce Zero Trust Segmentation and east-west workload isolation to block attacker movement post-compromise.
- • Deploy inline, cloud-native enforcement to inspect and block known exploit and authentication bypass attempts in real time.
- • Rigorously apply egress controls and central visibility to detect and prevent unauthorized data exfiltration or suspicious admin activity.
- • Continuously update threat detection and anomaly response capabilities linked to all privileged access and control plane actions.
