Summary:
Admins are reporting that Fortinet FortiGate firewalls remain vulnerable to a critical authentication bypass flaw, identified as CVE-2025-59718, even after applying corrective patches. Although Fortinet initially attempted to address the security hole in FortiOS version 7.4.9, reports from system administrators and security researchers indicate that the vulnerability persists in version 7.4.10.

The flaw resides in the FortiCloud Single Sign-On (SSO) feature and allows remote attackers to bypass authentication mechanisms using maliciously crafted SAML messages, ultimately gaining administrative control over the device.

Security Officer Comments:
The impact of this ongoing exploitation is severe, as attackers are actively utilizing the bypass to create unauthorized local administrator accounts, such as "helpdesk," to maintain persistent access. Cybersecurity researchers have observed these attacks originating from specific IP addresses, with logs showing the creation of new admin users via the "cloud-init" service.

While the FortiCloud SSO feature is not enabled by default on non-registered devices, scans have revealed that thousands of systems remain exposed online with the feature active. Due to the high risk of compromise and active exploitation in the wild, CISA has added this vulnerability to its list of known exploited flaws, requiring federal agencies to implement mitigations immediately.

Suggested Corrections:
To mitigate the risk until a verified fix is released, administrators are strongly advised to manually disable the FortiCloud administrative login feature.

This can be done through the FortiGate GUI by navigating to System > Settings and switching "Allow administrative login using FortiCloud SSO" to Off.

Alternatively, it can be disabled via the command-line interface (CLI) by setting the admin-forticloud-sso-login to disable within the global configuration.

Fortinet is expected to release FortiOS versions 7.4.11, 7.6.6, and 8.0.0 in the coming days to provide a comprehensive patch for the bypass, and organizations should prioritize these updates as soon as they become available.

Link(s):
https://www.bleepingcomputer.com/ne...t-patched-fortigate-firewalls-getting-hacked/