Network administrators around the globe are on high alert following credible reports that a critical Fortinet Single Sign-On (SSO) vulnerability, tracked as CVE-2025-59718, is being actively exploited even on systems believed to be fully patched.
Originally disclosed in December 2025, the flaw enables unauthenticated attackers to bypass authentication on FortiGate firewalls by abusing forged SAML assertions. In response to the initial disclosure, Fortinet released FortiOS 7.4.9, positioning it as the definitive remediation for the 7.4 branch. However, new evidence emerging from the cybersecurity community suggests that this update may not have fully mitigated the threat.
The “Zombie” FortiOS Vulnerability
Over the past 48 hours, a surge of reports has appeared across community platforms such as Reddit, where verified network administrators have posted log evidence of successful intrusions on FortiGate devices running FortiOS 7.4.9 a version widely assumed to be secure. The observed attack pattern is both consistent and deeply concerning. Affected organizations report unauthorized logins via the FortiCloud SSO mechanism, even in environments where FortiCloud SSO is not intentionally used for administrative access. Once attackers gain entry, they typically create a new local administrator account often using benign-sounding names such as helpdesk to establish persistent access independent of the SSO vulnerability.
“We’ve been on 7.4.9 since December 30,” wrote one administrator, who shared redacted SIEM logs illustrating the breach. “Our monitoring flagged the creation of a local admin account. The behavior matches the original CVE-2025-59718 exploit, but it’s happening against firmware that was supposed to be fixed.”
Technical Uncertainty and Interim Mitigations
The apparent persistence of the vulnerability in FortiOS 7.4.9 has led to growing speculation that the original patch was either incomplete or that attackers have discovered a method to bypass the implemented safeguards. Some administrators claim Fortinet support has privately acknowledged the issue, suggesting the weakness may even extend into upcoming releases such as 7.4.10, though no official public advisory has yet confirmed this.
At the center of the issue is the “Allow administrative login using FortiCloud SSO” setting, which is often enabled by default when a FortiGate device is registered with FortiCloud. This configuration appears to remain exploitable regardless of firmware version.
As a result, security professionals are now recommending a “trust no patch” stance for this specific attack vector. At present, the only mitigation widely regarded as reliable within the security community is to manually disable FortiCloud SSO administrative logins via the CLI, irrespective of the FortiOS version deployed.
Administrators are strongly urged to apply this change immediately across all FortiGate appliances.
Indicators of Compromise (IOCs)
Organizations operating FortiOS 7.4.x, including version 7.4.9, should urgently examine system and event logs for the following warning signs:
Suspicious SSO Logins
Review successful authentication events where the login method is forticloud-sso, particularly when originating from unknown or unexpected public IP addresses.
Unauthorized Administrator Accounts
Investigate the creation of new administrator users, especially accounts with common or generic names such as helpdesk, support, or fortinet-admin.
Configuration Data Exfiltration
Look for log entries indicating a full configuration export, especially when occurring shortly after an SSO-based login event.
As confidence in the official patch lifecycle erodes, the security community has once again become the first line of defense, sharing Indicators of Compromise, forensic findings, and workarounds faster than vendors can issue formal guidance. Until Fortinet provides definitive clarification or remediation, the recommendation is clear: disable FortiCloud SSO administrative access immediately or risk full system compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
