If you're one of the millions tasked with keeping your company’s networks shored up, brace yourself. Fortinet’s supposedly secure FortiGate firewalls, even with their most up-to-date patches, have a fresh security disaster on their hands—and this one’s not merely academic. Hackers are walking right past FortiCloud Single Sign-On (SSO) authentication like it’s a beaded curtain, thanks to a vulnerability tracked as CVE-2025-59718. Administrative access? They've got it. And if you think your frantic patching last December kept you safe, think again.
So Much for Single Sign-On: What Went Wrong
The FortiCloud SSO feature that’s supposed to make life easier for you and your fellow admins is now making things shockingly painless for attackers, too. A broken implementation of SAML messages—those identity documents usually designed to prove someone is who they say they are—can be tweaked, with a little know-how, to fool your firewall into granting full admin rights. No password? No Fortinet account? Doesn’t matter. The lock is off and the front door is swinging open.
You’d assume after a patch cycle in December 2025, folks could exhale a little. But the bad actors clearly got the memo that something still stinks. Since mid-January 2026, attackers have been picking off FortiGate firewalls, automating their attacks to slip in, scoop up juicy configuration info, and then set themselves up for a long-term stay. It’s everything you’d expect, except it’s happening on devices that were supposed to be secure.
Attackers Go Shopping: How They’re Winning
Here's what the crooks are doing, almost as if following a disturbingly efficient to-do list:
- Unauthorized Logins: Instead of knocking, they’re sending modified SAML payloads, instantly bypassing login controls.
- Stealing Configurations: Once in, they export the full firewall configuration through the graphical interface. This data includes everything: network maps, security policies, VPN details, and yes, even authentication frameworks.
- Planting Persistent Backdoors: Not satisfied with a hit-and-run? They create fresh admin accounts with bland, generic names like "support," "secadmin," or "backup"—accounts you might breeze past in a quick audit or, worse, inherit from a predecessor's lazy day.
- Lateral Movement: With the loot in hand, attackers can map your infrastructure and prep their next moves. If your firewall manages cross-network connections or partner links, consider them potential collateral damage.
All these steps are happening, no surprise, in seconds—because the bad guys have automated their scripts. The kind of speed only seen in companies that actually know how to move fast, unlike most patch management teams.
“Fully Patched” Means Nothing Now
This isn’t just theoretical risk—these attacks are happening now. The implications? They’re as ugly as they sound:
- Your firewall's rule set, VPN configs, and security policies can be quietly rewritten. That air gap you brag about? One new rule and it evaporates.
- Exported configuration files will often contain hashed credentials—catnip for anyone with basic cracking resources, especially if you’ve got folks still using "Welcome2022!" as their admin password.
- The attackers know the territory. They’re not poking around blindly; they can see the full network topology, find weak points, and plot insider-style attacks, sometimes selling the access to other shadowy hands.
A single misconfigured or unwatched FortiGate box basically rolls out the red carpet for ransomware, data breaches or straight-up network sabotage. Suddenly, all the time and money you’ve poured into perimeter defense feels pointless.
Scrambling for a Fix: What To Do Now
Fortinet’s official advice? Hold tight for new patches. Feel reassured? Didn’t think so. Here’s what you can do to limit the chaos while waiting for their second go-round at fixing things:
- Turn Off FortiCloud SSO: Disable this feature immediately. Get into the management GUI, kill that SSO option (“Allow administrative login using FortiCloud SSO”), or do it via command line. Yes, it’s a hassle, but letting this hole stay open is like running a VPN with “password123” as the only credential.
- Audit Every Admin Account: Comb through every admin-level login, especially bland ones—"audit," "remoteadmin," and so on. Delete or investigate anything you don’t recognize.
- Watch the Logs Like a Hawk: Set up alerts for suspicious logins, unexpected config changes, or the creation of new admin accounts—anything hinting at a phantom presence.
- Keep Management Interfaces Out of Reach: Restrict access to internal, trusted networks only. If your device’s admin page is exposed to the entire internet, that’s malpractice at this point.
- Rotate Administrative Credentials: Change all passwords associated with admin accounts. Use decent passwords for once—random, unique, and stored properly, ideally in a password manager that won’t get pwned next week.
- Stay Plugged Into Advisories: The only thing less pleasant than reading Fortinet’s advisories is cleaning up after one of these breaches. Make it part of your weekly routine anyway.
Why Are We Still Here?
This isn’t just an oopsie for Fortinet; it’s a reminder that “fully patched and updated” doesn’t mean what it used to. Attackers are targeting the very mechanisms meant to make cloud admin easier—and succeeding. Cloud convenience has been sold as the future, but the reality is this: every new SSO feature, every layer of “streamlined” authentication, is just another potential point of failure unless vendors truly get it right.
So go ahead, double-check your firewalls, cancel your weekend, and prep for another round of "fun" when the next patch drops. Maybe, just maybe, the future holds a world where basic authentication actually works. But you’ll want to keep your hopes in check—and your SSO firmly switched off for now.
