Fortinet Admins Report Patched FortiGate Firewalls Getting Hacked: CVE-2025-59718 (Critical)

Estimated reading time: 8 minutes

Key Takeaways:

  • CVE-2025-59718 Patch Failure: Initial updates (FortiOS 7.4.9) are insufficient to block active exploitation of the FortiCloud SSO bypass.
  • Critical Indicators of Compromise: Unauthorized admin accounts named cloud-init@mail.io and connections from IP 104.28.244.114 signal a breach.
  • Concurrent Cisco Threats: Cisco Unified CM and Webex Calling infrastructure are also facing zero-day exploitation via CVE-2026-20045.
  • Urgent Mitigation: Administrators are advised to disable FortiCloud SSO immediately while awaiting FortiOS 7.4.11.

Table of Contents:

Technical analysts and network administrators are reporting active exploitation of Fortinet FortiGate devices despite the application of previous security patches. The core issue involves a patch bypass for CVE-2025-59718, a critical authentication bypass vulnerability that resides in the FortiCloud Single Sign-On (SSO) login feature. Initial remediation efforts released by Fortinet in December 2025, specifically FortiOS version 7.4.9, appear insufficient to prevent unauthorized access via maliciously crafted SAML messages.

CVE-2025-59718: Incomplete Patch Leads to Ongoing FortiGate Exploitation

The vulnerability tracked as CVE-2025-59718 allows an unauthenticated attacker to bypass security headers and gain administrative access to FortiGate appliances. This occurs through the exploitation of the FortiCloud SSO mechanism. While Fortinet initially signaled that FortiOS 7.4.9 resolved the issue, field reports from administrators and third-party security firms indicate that attackers have found methods to circumvent these fixes.

Current data suggests that FortiOS version 7.4.10 remains vulnerable. Security logs from affected organizations show the creation of local administrator accounts following unauthorized SSO logins. A recurring indicator of compromise (IoC) involves the creation of an admin user associated with the email cloud-init@mail.io. In several instances, the source IP 104.28.244.114 has been linked to these unauthorized login attempts. This pattern aligns with findings from late 2025, where attackers utilized crafted Security Assertion Markup Language (SAML) messages to impersonate legitimate administrative sessions.

For organizations relying on a cyber threat intelligence platform, these developments signify a failure in traditional patch-cycle reliability. When a vendor-provided update fails to mitigate a critical flaw, the risk of a breach increases significantly, as teams may operate under a false sense of security. Fortinet has indicated that forthcoming releases-FortiOS 7.4.11, 7.6.6, and 8.0.0-are intended to provide a comprehensive fix.

Technical Breakdown of the SAML Bypass

The exploitation of CVE-2025-59718 centers on how the FortiOS authentication daemon processes SAML assertions. SAML is an open standard for exchanging authentication and authorization data between parties, in this case, between the FortiCloud identity provider and the FortiGate service provider.

The vulnerability allows an attacker to inject or modify SAML tokens in a manner that the FortiGate appliance accepts as valid without proper cryptographic verification or session validation. Once the bypass is successful, the attacker gains the privileges associated with the SSO configuration, which often includes full administrative rights. This level of access facilitates the deployment of further malware, credential harvesting, or the redirection of network traffic.

A PurpleOps Solutions can often identify when exploit kits for such vulnerabilities are being traded or discussed in restricted environments. In the case of CVE-2025-59718, the rapid transition from initial patch release to reported bypass suggests that threat actors are closely analyzing patch diffs to find residual logic flaws.

Impact and Global Exposure

Telemetry from Shadowserver indicates a significant attack surface. In mid-December 2025, over 25,000 Fortinet devices were identified online with the FortiCloud SSO feature enabled. While that number has decreased to approximately 11,000, the remaining exposed devices are at high risk. The Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-59718 in its Known Exploited Vulnerabilities (KEV) Catalog, mandating that federal agencies apply mitigations immediately.

The danger of an authentication bypass on a perimeter firewall cannot be overstated. It provides a direct gateway into the internal network, bypassing breach detection systems that focus on endpoint or internal traffic. If an attacker gains root-level access to a firewall, they can disable logging, modify firewall rules to allow lateral movement, and establish persistent VPN tunnels for data exfiltration.

The current threat landscape is not limited to Fortinet. Cisco has recently addressed a critical vulnerability in its Unified Communications and Webex Calling infrastructure, tracked as CVE-2026-20045 (CVSS 8.2). Similar to the Fortinet flaw, this vulnerability has seen active exploitation as a zero-day.

CVE-2026-20045 stems from improper validation of user-supplied input in HTTP requests sent to the web-based management interface of affected Cisco devices. By sending a sequence of specially crafted HTTP requests, an attacker can obtain user-level access to the underlying operating system. From there, privilege escalation to root is possible.

Affected Cisco products include:

  • Unified Communications Manager (Unified CM)
  • Unified CM Session Management Edition (SME)
  • Unified CM IM & Presence
  • Cisco Unity Connection
  • Webex Calling Dedicated Instance

Unlike the Fortinet issue, Cisco states there are no viable workarounds for CVE-2026-20045. Organizations must apply software updates or version-specific patch files (COP files) to secure their systems. CISA has also added this Cisco flaw to the KEV Catalog, setting a strict deadline for remediation.

The Role of External Intelligence in Vulnerability Management

The recurrence of exploits against “patched” systems demonstrates the necessity of PurpleOps Solutions and broader threat monitoring. Attackers do not stop at the first iteration of a patch; they frequently use PurpleOps Solutions and PurpleOps Solutions to share bypass techniques and automated scanning tools.

When a critical perimeter device like a FortiGate firewall or a Cisco Unified CM server is compromised, the incident often precedes a larger ransomware deployment. Attackers use these initial access points to conduct internal reconnaissance. By integrating a live ransomware API into security operations, organizations can correlate firewall logs with known ransomware infrastructure in real-time, potentially identifying a breach before encryption begins.

Furthermore, PurpleOps Solutions is essential when dealing with major vendors like Fortinet and Cisco. A flaw in their software is effectively a flaw in the subscriber’s supply chain. When patches are released and subsequently found to be incomplete, the risk management process must account for the possibility of “patch-gap” exploitation.

Practical Takeaways for Technical and Non-Technical Stakeholders

Technical Actions for Engineers

  1. Disable FortiCloud SSO: If you are running affected versions of FortiOS and do not have the latest confirmed fix, disable the FortiCloud login feature immediately.
    • Via GUI: System -> Settings -> Toggle “Allow administrative login using FortiCloud SSO” to Off.
    • Via CLI:
      config system global
      set admin-forticloud-sso-login disable
      end
  2. Audit Administrative Logs: Search for the creation of unauthorized accounts, specifically those named cloud-init or those using the mail.io domain.
  3. Monitor Known Malicious IPs: Block IP 104.28.244.114 and monitor for any inbound connections from this address across all network segments.
  4. Verify Patch Integrity: Do not assume that running version 7.4.9 or 7.4.10 is sufficient. Plan for the immediate deployment of FortiOS 7.4.11 or higher upon release.
  5. Cisco Remediation: For Cisco Unified CM environments, apply the specific COP files associated with CVE-2026-20045. Note that version 12.5 has reached end-of-life; migration to version 14 or 15 is necessary.

Strategic Actions for Business Leaders

  1. Update Risk Registers: Acknowledge that perimeter hardware is currently a high-priority target for state-sponsored and financially motivated actors.
  2. Resource Emergency Patching: Provide the necessary maintenance windows for IT teams to apply out-of-band updates, even if they cause temporary service disruptions.
  3. Invest in Monitoring: Utilize PurpleOps Solutions to determine if corporate credentials or administrative secrets related to these firewalls have been exposed.
  4. Review SSO Policies: While SSO improves user experience, its implementation on critical infrastructure requires additional layers of verification, such as IP whitelisting or secondary MFA.

PurpleOps Expertise in Perimeter Security and Threat Mitigation

PurpleOps provides specialized services designed to detect and mitigate the risks associated with critical vulnerabilities like CVE-2025-59718 and CVE-2026-20045. Our approach focuses on moving beyond basic patching to a comprehensive security posture.

Dark Web and Underground Intelligence

Our PurpleOps Solutions services provide early warning signs of exploit development. We track discussions in restricted forums where bypasses for Fortinet and Cisco patches are often first shared. This underground forum intelligence allows our clients to take defensive action before an exploit becomes widely automated.

Advanced Penetration Testing

Through PurpleOps Solutions, we simulate the exact techniques used by threat actors to bypass authentication mechanisms. This helps organizations identify if their specific configurations-such as SAML implementations-are susceptible to the types of attacks currently targeting FortiGate devices.

Supply Chain and Infrastructure Protection

We understand that security is a product of your entire technology stack. Our PurpleOps Solutions services evaluate the risks posed by third-party hardware and software vendors. When a vendor patch fails, PurpleOps assists in implementing compensating controls.

Ransomware Defense

Given that firewall breaches are a primary precursor to data extortion, our PurpleOps Solutions strategies are integrated with PurpleOps Solutions. This ensures that indicators of compromise found in the wild are immediately applied to your defensive perimeter.

Analysis of the Ongoing Threat

The situation with Fortinet admins reporting that patched firewalls are still being hacked suggests a sophisticated level of persistence from threat actors. The ability to bypass a security patch shortly after its release indicates that attackers are investing significant resources into reverse-engineering FortiOS. This is typical of actors who prioritize access to high-value enterprise networks.

The reliance on SAML for administrative access, while convenient, introduces a complex attack surface. SAML involves XML parsing and cryptographic signatures, both of which have historically been prone to implementation errors. When these errors occur in a security appliance, the result is often a total compromise of the network’s first line of defense.

Organizations should assume that any internet-facing management interface is under constant scrutiny. The transition of CVE-2025-59718 and CVE-2026-20045 to the CISA KEV list confirms that these are not theoretical risks but active components of modern cyberattacks.

Summary of Technical Findings

Vulnerability CVE-2025-59718 CVE-2026-20045
Vendor Fortinet Cisco
Product FortiOS / FortiGate Unified Communications / Webex
Impact Authentication Bypass Remote Code Execution (Root)
Status Active Exploitation / Patch Bypass Active Exploitation / Zero-Day
Mitigation Disable FortiCloud SSO; Update to 7.4.11+ Apply COP patches or upgrade versions

The failure of FortiOS 7.4.9 and 7.4.10 to fully address the SAML bypass highlights the need for a multi-layered defense strategy. PurpleOps remains committed to providing the technical depth and operational intelligence required to navigate these challenges. By combining PurpleOps Solutions with real-time threat data, we help organizations identify their weaknesses before attackers do.

For detailed analysis of your network’s exposure or to learn more about our platform and PurpleOps Solutions, contact PurpleOps for a comprehensive security assessment.

Frequently Asked Questions (FAQ)

What is the main risk of CVE-2025-59718?
The primary risk is a total administrative bypass on FortiGate firewalls. Attackers can gain full control over the device, allowing them to intercept traffic, create new users, and move laterally into the internal network.

Are FortiOS versions 7.4.9 and 7.4.10 safe to use?
No. While they contain initial fixes, reports indicate that attackers have successfully bypassed these patches. Users should disable FortiCloud SSO and prepare to upgrade to version 7.4.11 or later immediately upon release.

What specific account name should I look for in my logs?
Administrators should look for the creation of any unauthorized users, specifically those associated with the email cloud-init@mail.io.

Does the Cisco vulnerability (CVE-2026-20045) have a workaround?
According to Cisco, there are no viable workarounds. The only way to secure affected Unified Communications and Webex Calling systems is to apply software updates or the relevant COP patch files.

How can I protect my perimeter from these recurring patch bypasses?
Implement a defense-in-depth strategy that includes disabling unnecessary internet-facing management features, using IP whitelisting for admin access, and employing continuous monitoring for unusual account activity.