FortiGate Firewalls Compromised Despite Recent Patches for CVE-2025-59718
Take action: If you are using Fortinet FortiGate, this is important and urgent. Your device may still be vulnerable. Disable the FortiCloud SSO login feature immediately on all FortiGate appliances to prevent unauthorized administrative access.
Learn More
Fortinet FortiGate firewalls report new attacks despite recent security updates. Security experts and users report that CVE-2025-59718 (CVSS score 9.8) is still exposed on versions that were supposed to be patched.
This problem affects FortiOS versions 7.4.9 and 7.4.10, which the vendor previously claimed were fixed.
Now users repoort that even systems updated to version 7.4.9 are detecting hackers making new accounts on their systems.
Fortinet is working on new fixes for versions 7.4.11, 7.6.6, and 8.0.0.
Until those patches are ready, users must turn off the FortiCloud admin login tool:
# config system global
set admin-forticloud-sso-login disable
Update - Fortinet confirmed active exploitation of CVE-2025-59718. The company urgently recommends disabling FortiCloud SSO, restricting administrative access to trusted IP ranges, and treating compromised devices as fully breached requiring firmware updates, credential rotation, and configuration restoration from clean backups.
Security teams should monitor for the following IOCs associated with active exploitation.
- Compromised User Accounts:
- cloud-noc@mail.io
- cloud-init@mail.io
- Source IP Addresses:
- 104.28.244.115
- 104.28.212.114
- 37.1.209.19 (third-party observed)
- 217.119.139.50 (third-party observed)
- Malicious Admin Accounts Created:
- audit
- backup
- itadmin
- secadmin
- support
Organizations should audit all administrator accounts for unexpected entries created during suspicious timeframes. Fortinet is developing a permanent patch to address the new attack vector.
