**Fortinet Admins Report Patched Firewalls Getting Hacked**

In a disturbing trend, Fortinet administrators have come forward to report that their patched FortiGate firewalls are being hacked by attackers exploiting a previously fixed critical authentication vulnerability. The vulnerability, identified as CVE-2025-59718, was supposed to be patched in early December with the release of FortiOS 7.4.9, but it appears that the latest version, FortiOS 7.4.10, did not fully address the issue.

**Patched Firewalls Being Exploited**

One administrator reported that their organization's FortiGate firewall, running on version 7.4.9 (FGT60F), was hacked despite being patched. The attacker created a new admin user using a malicious SSO login from an IP address 104.28.244.114. Similar activity has been observed by another administrator, who reported seeing the same user login and IP address.

The logs from these incidents look eerily similar to previous exploitation of CVE-2025-59718 seen in December 2025 by cybersecurity company Arctic Wolf. In that incident, attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.

**Fortinet's Response**

BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply. However, it appears that Fortinet's developer team has confirmed that the vulnerability persists or is not fixed in v7.4.10.

**Temporary Fix for Admins**

Until Fortinet provides a fully patched FortiOS release, administrators are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks. This can be done by navigating to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off.

Alternatively, admins can run the following commands from the command-line interface:

``` config system settings set allow-forticloud-login disable end ```

**Scope of the Issue**

Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered. However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.

**CISA's Warning**

The Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week. Hackers are also now actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.

**Stay Secure**

It is essential for Fortinet administrators to take immediate action to secure their systems and protect against these attacks. We will continue to monitor the situation and provide updates as more information becomes available.