A real-world intrusion leveraging CVE-2025-59718, a critical FortiGate SSO authentication bypass flaw, revealing a patient, methodical attacker who spent weeks establishing persistent access before triggering any visible alarms.
The Vulnerability at the Center
CVE-2025-59718 is a critical-severity flaw (CWE-347: Improper Verification of Cryptographic Signature) affecting FortiOS, FortiProxy, and FortiSwitchManager.
Disclosed by Fortinet in December 2025, the vulnerability resides in the FortiCloud Single Sign-On (SSO) component and allows an unauthenticated remote attacker to bypass administrative authentication by submitting a specially crafted SAML response to the /remote/saml/login endpoint.
Because the device fails to validate the cryptographic signature of the SAML assertion properly, it accepts the forged message as legitimate, granting the attacker full administrative privileges without valid credentials.
A companion vulnerability, CVE-2025-59719, shares the same root cause but specifically targets FortiWeb. CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog on December 16, 2025, the same day Rapid7 observed active exploitation attempts against its honeypots.
A public proof-of-concept exploit on GitHub appeared almost simultaneously, dramatically compressing the window between disclosure and weaponization.
How the Attack Unfolded
Rapid7’s IR team traced the intrusion through a methodical “inside-out” investigation, starting from the initial alert and working backward to uncover the true initial access vector (IAV).
The first suspicious activity detected was internal enumeration: the attacker gathered user, system, and resource information from common directories, escalating to SMB-based file scraping and network share access behavior that superficially resembled routine administration.
A pivotal discovery was the use of Mimikatz to harvest credentials from memory across multiple systems. Armed with valid elevated credentials, the attacker pivoted laterally using PsExec and Microsoft Remote Desktop (RDP), deliberately mimicking legitimate administrative activity to blend in.
High-value targets, including virtualization platforms, domain controllers, and backup infrastructure servers, were prioritized systems whose compromise could enable privilege escalation, data theft, or destruction of recovery capabilities.
The first authentication into the Windows environment originated from an internal IP address outside the known IP ranges, specifically within the FortiGate device’s DHCP lease pool.
This anomaly initially suggested VPN activity, but investigators quickly noted that SSL VPN had never been enabled in this environment, making the FortiGate appliance an immediate suspect as the IAV.
The FortiGate as Ground Zero
A forensic review of the FortiGate’s system logs and configuration data confirmed the device had been systematically modified.
The attacker had enabled the SSL VPN component and made a sequence of configuration changes: editing VPN settings, adding new firewall policies, and adjusting configuration parameters, all recorded in FortiGate system logs as routine-looking Edit and AddEvents attributed to a user called admins from an external IP.
The critical thread connecting these changes was a configuration file download initiated from an external IP address already flagged as malicious by security vendors through the FortiGate GUI.
Configuration exports are a high-value prize for attackers: they expose network architecture, authentication mechanisms, device relationships, and sometimes plaintext or weakly hashed credentials.
Investigators then identified that multiple new administrative accounts had been created on the device, including SSO administrator, system administrator, and local accounts.
Several of these accounts used email domains hosted on Namecheap infrastructure, such as openmail[.]pro. Alarmingly, some newly created SSO administrator accounts were linked to forticloud.com domains, a deliberate masquerade leveraging the same SSO component exploited by the vulnerability.
Timeline of Stealth: Two Weeks of Silent Access
A defining characteristic of this intrusion was its patience. Initial access was established approximately two weeks before any subsequent malicious activity, a reconnaissance and persistence phase during which the attacker secured reliable, recurring access to the environment via the compromised FortiGate.
There was no evidence of brute-force activity against local accounts; the initial foothold was obtained purely through the SSO authentication bypass.
Once persistence was established, attackers began authenticating via the SSL VPN connections they had enabled, effectively turning the perimeter firewall into an attacker-controlled ingress point.
The attacker’s consistent post-exploitation behavior across incidents, configuration export, account creation, and then lateral movement mirrors patterns observed by other vendors, suggesting organized, financially motivated threat actors focused on persistent access and credential harvesting.
Detection Opportunities for Defenders
Rapid7 has implemented dedicated detections for InsightIDR and MDR customers targeting both exploitation and post-exploitation activity. Three specific detection rules have been deployed:
- Potential Exploitation – FortiGate Admin SSO Login and Config Download via External IP
- Exfiltration – FortiGate Config Downloaded Using GUI via External IP
- Suspicious Authentication – FortiGate SSO Login via External IP
Beyond platform-specific detections, defenders should implement centralized syslog forwarding from all edge devices to capture configuration changes, admin logins, and new account creation events in real time.
Any SSO admin account creation tied to forticloud.com domains, configuration downloads by unrecognized accounts, or SSL VPN enablement on previously disabled appliances should be treated as high-confidence indicators of compromise.
Correlating internal authentication events with FortiGate DHCP ranges can also surface anomalous lateral movement sourced from the appliance itself.
Affected Products and Patching Guidance
Organizations should immediately audit FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb deployments. Fortinet’s official workaround recommends turning off the FortiCloud login feature on vulnerable, unpatched versions.
As exploitation began within days of the patch release and a public PoC is available, patching must be treated as an emergency priority for any internet-facing Fortinet appliance.
FAQs
Q1: What is CVE-2025-59718?
It is a critical FortiCloud SSO authentication bypass flaw (CWE-347) that lets unauthenticated attackers gain admin access via a forged SAML message.
Q2: Which Fortinet products are affected?
CVE-2025-59718 impacts FortiOS, FortiProxy, and FortiSwitchManager, while CVE-2025-59719 affects FortiWeb.
Q3: Is CVE-2025-59718 actively exploited?
Yes, CISA added it to the KEV catalog on December 16, 2025, with active exploitation confirmed in the wild since mid-December 2025.
Q4: What is the recommended immediate mitigation?
Disable FortiCloud SSO login on vulnerable versions and apply Fortinet’s official patch immediately while auditing logs for anomalous admin account creation and config downloads.
Site: thecybrdef.com
About the Author
