CVE-2025-59718: Patched FortiGate Firewalls Are Still Being Exploited - Here's What You Need To Know

If you patched your FortiGate firewalls for CVE-2025-59718 and ticked it off the list, you need to take another look. Fully patched devices are still getting popped.

Over the past week, we've seen confirmed reports from Arctic Wolf, Huntress, and enterprise security teams of successful compromises on FortiGate appliances running FortiOS 7.4.9 and 7.4.10—versions Fortinet said were safe.

Fortinet has now acknowledged the fix was incomplete. Corrected versions (7.4.11, 7.6.6, 8.0.0) are coming, but they're not out yet.

So right now, patching alone isn't enough.

What's actually happening

CVE-2025-59718 is a critical auth bypass. Attackers are exploiting FortiCloud SSO, the SAML-based authentication flow, to gain admin access without valid credentials.

Once they're in, they're creating rogue admin accounts, exporting full firewall configs (credentials, crypto material, the lot), and setting up persistence. The accounts often have generic names like "helpdesk" or "secadmin" to blend in.

The root issue? The original patch seems to have fixed specific exploit conditions, but not the underlying flaw in how SAML assertions are validated. That's why systems patched weeks ago are still vulnerable.

This isn't theoretical

Shadowserver is tracking over 11,000 internet-facing FortiGate devices with FortiCloud SSO exposed. Huntress has confirmed 11 incidents in the last 30 days—including at least one customer that was fully patched. Arctic Wolf has been tracking compromises of patched firewalls since January 15th.

Attack infrastructure has been traced to DigitalOcean, Kaopu Cloud (Hong Kong), and Cloudflare. The technique is consistent across incidents: malicious SAML assertions, admin login, config export, persistence.

It's active. It's widespread. And it's ongoing.

What to do right now

Disable FortiCloud admin SSO. Today. This is the only reliable mitigation until Fortinet ships the corrected firmware.

config system global
set admin-forticloud-sso-login disable
end

This mitigation has consistently stopped exploitation in confirmed cases.

If you've had internet-facing FortiGate appliances with FortiCloud SSO enabled, assume compromise and act accordingly:

• Full forensic review
• Rotate all credentials stored on or transiting the firewall
• Monitor for unexpected admin account creation, config exports, and SAML authentication anomalies
• Apply 7.4.11 / 7.6.6 / 8.0.0 as soon as they drop—and validate they actually fix the issue

IOCs to watch for

SSO logins tied to cloud-init@mail[.]io

New admin accounts with names like helpdesk, secadmin, support, remoteadmin, backup, itadmin, audit

Unexpected config exports

Traffic from:

• 104.28.244.115
• 104.28.212.114
• 217.119.139.50
• 37.1.209.19

Flag any of these for immediate investigation.

We're continuing to track this one closely. We'll update this post as new details emerge.