Network administrators worldwide are scrambling this morning following credible reports that the critical Fortinet Single Sign-On (SSO) vulnerability, tracked as CVE-2025-59718, is being actively exploited on systems previously thought to be patched.
The vulnerability, originally disclosed in December 2025, allows unauthenticated attackers to bypass authentication on FortiGate firewalls by forging SAML assertions. At the time, Fortinet released FortiOS version 7.4.9 as the definitive fix for the 7.4 release branch. However, emerging data from the cybersecurity community suggests this update may have failed to close the door on attackers.
The “Zombie” FortiOS Vulnerability
Over the last 48 hours, a wave of reports has surfaced on community hubs like Reddit, where verified administrators have shared logs indicating successful breaches on devices running the supposedly secure FortiOS 7.4.9.
The attack pattern is distinct and alarming. Victims report observing unauthorized logins via the FortiCloud SSO mechanism—even when they do not actively use the feature for their own administration. Once access is gained, the attackers typically create a local administrator account, often named “helpdesk” or similar generic terms, to establish persistence independent of the SSO flaw.
“We have been on 7.4.9 since December 30th,” wrote one frustrated administrator who shared redacted logs of the incident. “Our SIEM caught a local admin account being created. The attack vector looks exactly like the original CVE-2025-59718 exploit, but against the patched firmware.
Technical Confusion and Workarounds
The persistence of this flaw in version 7.4.9 has led to speculation that the initial patch was incomplete or that attackers have found a bypass to the mitigation logic. Some users report that Fortinet support has acknowledged the issue privately, hinting that the vulnerability might persist even into upcoming builds like 7.4.10, though this remains unconfirmed by official public advisories.
The exploit relies on the “Allow administrative login using FortiCloud SSO” setting, which is often enabled by default when a device is registered to FortiCloud.
Security experts are now advising a “trust no patch” approach for this specific vector. The only guaranteed mitigation currently circulating in professional circles is to manually disable the vulnerable feature via the Command Line Interface (CLI), regardless of the firmware version installed.
Administrators are urged to run the following command immediately on all FortiGate units:
config system global
set admin-forticloud-sso-login disable
end
Indicators of Compromise
Organizations running FortiOS 7.4.x—including version 7.4.9—should immediately audit their system event logs for the following activity:
-
Unexpected SSO Logins: Filter logs for successful logins where the method is
forticloud-sso, especially from unrecognized public IP addresses. -
New User Creation: Check for the recent creation of administrator accounts with names like
helpdesk,support, orfortinet-admin. -
Configuration Exports: Look for logs indicating a full system configuration download shortly after an SSO login.
As trust in the official patch cycle wavers, the community is once again serving as the first line of defense, sharing Indicators of Compromise (IOCs) and workarounds faster than vendors can issue bulletins. For now, disable the SSO feature, or risk compromise.
