Fortinet SSO Vulnerability Actively Exploited to Hack Firewalls and Gain Admin Access
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical vulnerability in Fortinet\u2019s Single Sign-On (SSO) feature for FortiGate firewalls, tracked as CVE-2025-59718<\/a>, is under active exploitation.<\/p>\n Attackers are leveraging it to create unauthorized local admin accounts, granting full administrative access to internet-exposed devices.<\/p>\n Multiple users have reported identical attack patterns, prompting Fortinet\u2019s PSIRT forensics team to investigate.<\/p>\n CVE-2025-59718 affects the FortiCloud SSO login mechanism in FortiOS. It allows remote attackers to authenticate via malicious SSO logins, bypassing standard controls.<\/p>\n The flaw persists despite patches, enabling privilege escalation on firewalls using SAML or FortiCloud SSO for admin authentication.<\/p>\n No CVSS score is published yet, but real-world impacts are severe: attackers create backdoor accounts like \u201chelpdesk\u201d with full system privileges. Devices must be internet-facing with SSO enabled for exploitation.<\/p>\n Reddit user u\/csodes and others detailed incidents<\/a> on FortiGate 7.4.9 (e.g., FGT60F models). A malicious SSO login from the same IP address triggered local admin creation, detected via SIEM alerts. Victims confirmed deployment since late December 2025, ruling out prior versions.<\/p>\n One organization noted: \u201cOur Local-In policy script failed, and the device was internet-reachable.\u201d Another on SAML reported the \u201chelpdesk\u201d account. Support tickets are open, with Fortinet\u2019s developer team confirming persistence. Carl Windsor from PSIRT is leading forensics.<\/p>\n These coordinated attacks suggest a threat actor campaign targeting unpatched FortiGates. Fortinet acknowledges the issue remains in 7.4.10. Fixes are scheduled for upcoming releases.<\/p>\n In mid-December, Shadowserver discovered that more than 25,000<\/a> Fortinet devices were publicly accessible online, and notably, many of these had the FortiCloud Single Sign-On (SSO) feature activated.<\/p>\n Prior versions may also be affected; check Fortinet\u2019s advisory.<\/p>\n Disable FortiCloud SSO logins via CLI to block exploitation:<\/p>\n This prevents SSO-based attacks without disrupting local or SAML auth. Re-enable post-patch. Fortinet urges applying it now, especially for internet-exposed firewalls.<\/p>\n Fortinet promises advisories soon. This incident underscores SSO risks in firewalls, disabling unnecessary features, and monitoring aggressively. Stay tuned for CVSS and full IOCs.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Fortinet SSO Vulnerability Actively Exploited to Hack Firewalls and Gain Admin Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nExploitation in the Wild<\/strong><\/h2>\n
\n\n
\n \nFortiOS Version<\/th>\n Vulnerability Status<\/th>\n Fix Availability<\/th>\n<\/tr>\n<\/thead>\n \n 7.4.9<\/td>\n Vulnerable (exploited)<\/td>\n 7.4.11 (scheduled)<\/td>\n<\/tr>\n \n 7.4.10<\/td>\n Vulnerable (not fixed)<\/td>\n 7.4.11 (scheduled)<\/td>\n<\/tr>\n \n 7.6.x<\/td>\n Vulnerable<\/td>\n 7.6.6 (scheduled)<\/td>\n<\/tr>\n \n 8.0.x<\/td>\n Vulnerable (pre-release)<\/td>\n 8.0.0 (scheduled)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Immediate Workaround<\/strong><\/h2>\n
text
config system global\nset admin-forticloud-sso-login disable\nend\n<\/code><\/pre>\n\n