Fortinet Warns of Active Exploitation of FortiCloud SSO Bypass (CVE-2025-59718, CVE-2025-59719)

Fortinet Confirms Active Exploitation of FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls

CRITICAL
January 27, 2026
January 28, 2026
4m read
VulnerabilityCyberattackPatch Management

Related Entities(initial)

Organizations

Fortinet

Products & Tech

FortiGateFortiCloudSAML

CVE Identifiers

CVE-2025-59718
CRITICAL
CVEDetails.com CVE.org
CVE-2025-59719
CRITICAL
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1133Persistence

External Remote Services

T1098.001Credential Access

Additional Cloud Credentials

T1136.001Persistence

Local Account

T1552.006Credential Access

Group Policy Preferences

Full Report(when first published)

Executive Summary

Fortinet has issued a critical warning confirming the active exploitation of an authentication bypass vulnerability in its FortiCloud Single Sign-On (SSO) feature. The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, allow attackers to gain unauthorized administrative access to FortiGate firewalls. Alarmingly, the attacks have been observed on fully patched devices, suggesting a logic flaw or a zero-day exploit chain. Attackers are leveraging the bypass to create rogue administrative accounts, enable remote access VPNs, and exfiltrate device configurations, posing a severe risk to affected organizations.

Vulnerability Details

  • CVE IDs: CVE-2025-59718, CVE-2025-59719
  • Product: FortiGate firewalls using FortiCloud Single Sign-On (SSO).
  • Vulnerability Type: Authentication Bypass.
  • Attack Vector: The vulnerability is exploited by sending a specially crafted SAML (Security Assertion Markup Language) message to the device. This appears to trick the SSO mechanism into granting administrative access without valid credentials.

Exploitation Status

Fortinet has confirmed active in-the-wild exploitation. The fact that attackers are targeting even fully patched systems suggests a sophisticated threat actor is involved. The post-exploitation activity indicates a clear goal: establish long-term persistence and gain deep insight into the victim's network architecture.

Post-Exploitation TTPs:

  1. Create Persistent Accounts: Attackers create new, high-privileged administrative accounts on the FortiGate device (T1136.001 - Local Account).
  2. Enable VPN Access: They configure or enable VPN access for these rogue accounts, providing them with persistent remote access to the network (T1133 - External Remote Services).
  3. Exfiltrate Configuration: The attackers download the firewall's full configuration. This file contains a wealth of information, including network topology, firewall rules, credentials, and IPsec keys, which can be used to plan further attacks.

Impact Assessment

This is a critical-level threat. A compromised perimeter firewall is one of the worst-case security scenarios.

  • Total Network Compromise: With administrative access to the firewall, an attacker has 'keys to the kingdom.' They can disable security policies, redirect traffic, and create pathways to attack any system on the internal network.
  • Persistent Access: The creation of rogue admin accounts allows the attacker to maintain access even if the initial vulnerability is patched.
  • Intelligence Gathering: The exfiltrated configuration file provides a complete blueprint of the victim's network security posture, enabling highly targeted and effective secondary attacks.
  • Data Breaches: Attackers can manipulate firewall rules to exfiltrate large volumes of data from the internal network.

Cyber Observables for Detection

Administrators must proactively hunt for these indicators:

Type
Log Source
Value
FortiGate System Event Logs
Description
Look for unexpected creation of new local administrator accounts.
Type
Log Source
Value
FortiGate VPN Logs
Description
Monitor for successful VPN connections from unknown IP addresses or associated with newly created accounts.
Type
Log Source
Value
FortiGate System Event Logs
Description
Search for events related to configuration downloads or backups initiated by suspicious accounts or at unusual times.
Type
Command Line Pattern
Value
diagnose system session list
Description
On the FortiGate CLI, check for active administrative sessions from unexpected source IPs.

Detection & Response

  1. Audit Administrative Accounts: Immediately review all local administrative accounts on your FortiGate firewalls. Investigate and disable any account that is not known and explicitly authorized.
  2. Review VPN Configurations: Audit all remote access VPN configurations, especially SSL-VPN and IPsec. Check for recently added user groups or policies.
  3. Analyze Logs: Scrutinize FortiGate logs for the observables listed above. Look for successful SAML logins that do not correlate with legitimate user activity. Pay close attention to logs from the time the vulnerability was announced. Reference D3FEND technique Authentication Event Thresholding.

Mitigation

Fortinet customers should take immediate action:

  1. Follow Fortinet's Guidance: Monitor Fortinet's PSIRT advisories for official mitigation steps, which may include disabling FortiCloud SSO, applying new patches when available, or implementing specific firewall rules.
  2. Restrict Access: Restrict access to the FortiGate management interface to a limited set of trusted IP addresses. This will not block the exploit itself but will reduce the attack surface.
  3. Implement Multi-Factor Authentication (MFA): Enforce MFA for all administrative access to the FortiGate. While the vulnerability is an SSO bypass, having MFA as a policy can sometimes interfere with an attacker's post-exploitation toolkit. Reference D3FEND technique Multi-factor Authentication.
  4. Configuration Backups: Regularly back up your FortiGate configuration so you can compare it against a known-good version to spot unauthorized changes.

Timeline of Events

1
January 27, 2026
This article was published

Article Updates

January 28, 2026

Fortinet disclosed and patched CVE-2026-24858, a critical FortiCloud SSO bypass actively exploited to hijack devices, bypassing previous patches. CISA added it to KEV.

Update Sources:
cisa.govFortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858
digitalforensicsmagazine.comNEWS ROUNDUP - 28th January 2026
cybersecurity-review.comNews - January 2026

MITRE ATT&CK Mitigations

Audit

M1047enterprise

Regularly audit firewall configurations and local administrative accounts for any unauthorized changes or additions.

Mapped D3FEND Techniques:

D3-DAMD3-LAM

Multi-factor Authentication

M1032enterprise

Enforce MFA on all administrative accounts as a critical compensating control against authentication bypasses.

Mapped D3FEND Techniques:

D3-MFA

Limit Access to Resource Over Network

M1035enterprise

Restrict access to the firewall's management interface to a limited set of trusted IP addresses (a 'management VLAN').

Mapped D3FEND Techniques:

D3-NI

Sources & References(when first published)

26th January – Threat Intelligence Report
Check Point Research (research.checkpoint.com) January 26, 2026
26th January – Threat Intelligence Report
Check Point Research (research.checkpoint.com) January 26, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

FortinetFortiGateVulnerabilityAuthentication BypassSSOSAMLZero-Day

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.