Fortinet admins report patched FortiGate firewalls getting hacked

Recorded: Jan. 21, 2026, 6:03 p.m.

Original

News

Featured
Latest

Credential-stealing Chrome extensions target enterprise HR platforms

Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs

Jordanian pleads guilty to selling access to 50 corporate networks

Ingram Micro says ransomware attack affected 42,000 people

Fortinet admins report patched FortiGate firewalls getting hacked

Fake Lastpass emails pose as password vault backup alerts

Microsoft shares workaround for Outlook freezes after Windows update

You Got Phished? Of Course! You're Human...

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityFortinet admins report patched FortiGate firewalls getting hacked

Fortinet admins report patched FortiGate firewalls getting hacked

By Sergiu Gatlan

January 21, 2026
12:49 PM
0

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9.
Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.

"We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th," the admin said.
The customer shared logs showing that the admin user was created from an SSO login of cloud-init@mail.io from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.
"We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named "helpdesk". We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10," another one added.
BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply.

Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.
To disable FortiCloud login, you have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface:

config system global
set admin-forticloud-sso-login disable
end
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.
However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.
CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.
Hackers are now also actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.

Secrets Security Cheat Sheet: From Sprawl to Control
Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
Download Now

Related Articles:
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypassFortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacksFortinet warns of critical FortiCloud SSO login auth bypass flawsHackers exploit newly patched Fortinet auth bypass flawsGitLab warns of high-severity 2FA bypass, denial-of-service flaws

Bypass
Firewall
Fortigate
Fortinet
FortiOS
Warning
Zero-Day

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Popular Stories

Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs

Ingram Micro says ransomware attack affected 42,000 people

New PDFSider Windows malware deployed on Fortune 100 firm's network

Sponsor Posts

Discover how phishing kits are sold and deployed. Download the full research report.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Discover how to scale IT infrastructure reliably without adding toil or burnout.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Fortinet is facing a significant security challenge stemming from a persistent vulnerability within its FortiGate firewall systems. Reports indicate that patched versions of FortiOS, specifically 7.4.9 and subsequent releases like 7.4.10, are failing to fully address a critical authentication bypass flaw, designated as CVE-2025-59718. This vulnerability, which allows attackers to gain administrative access to the firewalls, was initially identified in December 2025 and continues to be actively exploited. Multiple Fortinet administrators have independently confirmed the ongoing issue, detailing instances where malicious Single Sign-On (SSO) logins, originating from IP address 104.28.244.114, were successfully used to create new system administrator accounts within their FortiGate systems. These attacks closely mirror those previously reported by Arctic Wolf, further showcasing the vulnerability’s persistence.

The core of the issue revolves around an improper handling of SAML messages during the FortiCloud SSO authentication process. Attackers are leveraging this oversight to circumvent standard security checks and escalate privileges. BleepingComputer’s attempts to obtain a direct response from Fortinet regarding these reports have been unsuccessful. This lack of communication exacerbates the situation and raises concerns about the company’s responsiveness to critical security issues.

Shadowserver’s monitoring has revealed a concerning number of vulnerable Fortinet devices exposed online with FortiCloud SSO enabled. As of mid-December, over 25,000 devices were detectable, with a significant portion – more than half – having been secured after the initial discovery. However, Shadowserver continues to track approximately 11,000 devices still reachable through the internet, highlighting the ongoing challenge of securing these systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-59718 to its list of actively exploited vulnerabilities, mandating that federal agencies prioritize patching within a one-week timeframe. This urgency underscores the severity of the risk. Adding to the complexity, attackers are concurrently exploiting a separate critical FortiSIEM vulnerability, supported by publicly available proof-of-concept exploit code, allowing for code execution with root privileges on unpatched systems.

To mitigate the immediate threat, administrators are advised to temporarily disable the FortiCloud login feature (if enabled) and executing the command sequence: `config system global; set admin-forticloud-sso-login disable; end` via the command-line interface. Despite Fortinet’s recommended approach, continuous monitoring and immediate action are vital. The persistence of this vulnerability underscores a need for improved authentication methodologies and stricter security protocols within Fortinet firewall deployments. The incident brings into sharp focus the critical importance of proactive vulnerability management and the potential consequences of unaddressed security weaknesses within widely deployed network infrastructure.