Executive Summary
In January 2026, Fortinet confirmed the existence of a critical authentication bypass (CVE-2025-59718) affecting its FortiCloud SSO feature, leaving fully patched devices vulnerable to compromise. Attackers exploited a patch bypass to gain administrative access, quickly creating VPN-enabled accounts and exfiltrating firewall configurations. Despite an earlier advisory, threat actors continued to exploit an unaddressed attack path, with the campaign becoming automated and impacting organizations globally. Evidence included unauthorized logins and suspect account creation, prompting urgent investigation and forensic response from network teams.
This breach illustrates the growing risk posed by incomplete patches and the relentless pursuit by attackers of residual vulnerabilities, particularly in widely deployed network security products. It underscores the critical need for continuous monitoring, rapid patch validation, and limiting administrative access to sensitive management interfaces.
Why This Matters Now
Immediate action is required as attackers are exploiting a live authentication bypass in fully patched Fortinet devices, highlighting the urgency for network admins to restrict Internet-facing access and disable vulnerable SSO features. The incident reflects the increased sophistication of attackers targeting security infrastructure, raising urgent concerns for enterprises, government agencies, and sector regulators.
Attack Path Analysis
Attackers exploited an authentication bypass vulnerability in FortiCloud SSO to gain unauthorized access to firewalls. They quickly escalated privileges by creating admin accounts with VPN access. There is no direct evidence of lateral movement, but attackers may have explored internal environments. Some degree of command and control was established as they automated the compromise from an external IP. Attackers exfiltrated firewall configurations immediately upon access. Although disruptive actions are not explicitly detailed, exposure of sensitive configurations risks further impact or business disruption.
Kill Chain Progression
Initial Compromise
Description
Exploited a FortiCloud SSO authentication bypass (CVE-2025-59718) to gain unauthorized access to administrative interfaces on Fortinet firewalls.
Related CVEs
CVE-2025-59718
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet products allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML response messages.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2. ... , 7.0.0 through ...
Fortinet FortiSwitchManager – 7.2.0 through ... , 7.0.0 through ...
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb allows unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML response messages.
Affected Products:
Fortinet FortiWeb – 8.0.0, 7.6.0 through ... 4, 7.4.0 through ...
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts: Default Accounts
Create Account
Modify Authentication Process: Web Portal
Valid Accounts
Exfiltration Over C2 Channel
Account Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Administrative Access
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy; Access Privileges
Control ID: 500.03, 500.07
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Enforce Least Privilege and Strong Authentication
Control ID: Identity Pillar, Access Controls
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical authentication bypass in Fortinet FortiCloud SSO exposes banking infrastructure to automated attacks, compromising firewall configurations and admin access within seconds.
Government Administration
CISA-catalogued CVE-2025-59718 vulnerability enables threat actors to bypass authentication on government Fortinet devices, creating unauthorized admin accounts and stealing configurations.
Health Care / Life Sciences
FortiCloud SSO authentication bypass threatens HIPAA compliance requirements, allowing attackers to compromise healthcare network security controls and access protected infrastructure.
Computer/Network Security
Incomplete patch for FortiCloud authentication bypass demonstrates zero trust segmentation failures, highlighting need for enhanced egress security and policy enforcement capabilities.
Sources
- Fortinet confirms critical FortiCloud auth bypass not fully patchedhttps://www.bleepingcomputer.com/news/security/fortinet-confirms-critical-forticloud-auth-bypass-not-fully-patched/Verified
- Analysis of Single Sign On (SSO) abuse on FortiOShttps://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortiosVerified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
- Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities Actively Exploited (CVE-2025-59718 ... CVE-2025- ... )https://kudelskisecurity.com/research/fortinet-forticloud-sso-authentication-bypass-vulnerabilities-actively-exploited-cve-2025-59718-cve-2025-59719Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
A combination of zero trust segmentation, control plane policy enforcement, east-west traffic controls, and robust egress security can dramatically reduce the attack surface and impede all key steps of this kill chain. By restricting unauthorized access, segmenting admin functions, and enforcing granular policies, CNSF-aligned controls limit both exploitation and data theft even in the event of an authentication bypass.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline control plane enforcement would block unauthorized admin access attempts at the network layer.
Control: Zero Trust Segmentation
Mitigation: Least privilege segmentation would restrict privilege escalation to defined identities and policy scopes.
Control: East-West Traffic Security
Mitigation: Microsegmentation would contain network traversal attempts within permissible trust boundaries.
Control: Multicloud Visibility & Control
Mitigation: Automated detection of anomalous login and automation patterns enables rapid detection and response.
Control: Egress Security & Policy Enforcement
Mitigation: Egress filtering blocks unauthorized outbound transfer of sensitive data to external destinations.
Ongoing visibility into admin and data flows enables rapid remediation and limits downstream impact.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- IT Infrastructure Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of firewall configurations, including network layouts, firewall rules, and hashed administrative credentials, which could lead to unauthorized access and further exploitation.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately enforce local-in policies to restrict administrative access to approved IP ranges only.
- • Implement zero trust segmentation to confine sensitive admin and VPN functions within the smallest necessary trust boundary.
- • Enable and continuously monitor multicloud traffic observability and anomaly detection to rapidly identify suspicious automation and unauthorized logins.
- • Deploy strong egress policy enforcement to block exfiltration of sensitive configurations or data to untrusted destinations.
- • Regularly audit and rotate credentials, and restore configurations from known good states after any sign of compromise.
