Understanding the Recent Fortinet Single Sign-On Vulnerability: CVE-2025-59718
Network security is an ever-evolving field, and vulnerabilities can emerge even in systems presumed secure. Recently, administrators worldwide were alarmed by reports regarding CVE-2025-59718, a critical vulnerability within Fortinet’s Single Sign-On (SSO) functionality.
Overview of the Vulnerability
Disclosed in December 2025, CVE-2025-59718 presents a severe risk as it allows unauthenticated attackers to bypass authentication on FortiGate firewalls by manipulating Security Assertion Markup Language (SAML) assertions. Fortinet rolled out FortiOS version 7.4.9 as a solution to this problem. However, it appears that this update may not have been fully effective, allowing attackers to exploit previously secure systems.
The Resurgence of the “Zombie” Vulnerability
In just 48 hours following a new wave of reports from community forums, particularly Reddit, it became evident that devices running FortiOS 7.4.9 were experiencing successful breaches. Verified administrators have shared log evidence suggesting unauthorized logins stemming from the FortiCloud SSO.
Victims reported that attackers could gain access even if they weren’t using the SSO feature directly. Upon successfully logging in, these malicious actors typically create a local administrator account, often labeled as “helpdesk” or similar generic names, ensuring their persistence regardless of the SSO flaw.
Technical Confusion and Speculations
The persistence of this issue has led to widespread speculation about the credibility of the patch. Some users claim Fortinet support hinted privately that the vulnerability could still be present, even with the anticipated release of FortiOS version 7.4.10, although no official confirmation has been made public.
The Exploit Mechanism
The exploit leverages the “Allow administrative login using FortiCloud SSO” setting, which is frequently activated by default when FortiGate devices are registered with FortiCloud. This makes it essential for network administrators to approach this vulnerability with caution.
Recommended Mitigations
In light of the current threat landscape, security experts recommend adopting a “trust no patch” mindset concerning the SSO feature. Presently, the only reliable workaround that experts agree upon is to disable the vulnerable feature directly through the Command Line Interface (CLI), regardless of the firmware version being utilized.
Administrators should execute the following command on all FortiGate units:
bash
config system global
set admin-forticloud-sso-login disable
end
Indicators of Compromise (IOCs)
Organizations using FortiOS 7.4.x, including the ostensibly secure version 7.4.9, are advised to conduct immediate audits of their system event logs. Focus should be on the following activities:
-
Unexpected SSO Logins:
Look for successful logins identified with the methodforticloud-sso, especially from unfamiliar public IP addresses. -
New User Creation:
Check for any recent creation of administrator accounts with names such ashelpdesk,support, orfortinet-admin. -
Configuration Exports:
Monitor logs for any records indicating a complete system configuration download shortly after such an SSO login has occurred.
Community Response Amid Uncertainty
In the face of waning trust in official patch cycles, the cybersecurity community has taken upon itself the responsibility of disseminating Indicators of Compromise (IOCs) and potential workarounds more rapidly than vendors can issue formal advisories. Given the current circumstances, disabling the SSO feature stands out as an essential preemptive measure for FortiGate device users.
