Exploitation of FortiGate Authentication Vulnerability CVE-2025-59718

Document Summary

Fortinet customers are experiencing attacks exploiting a patch bypass for a critical FortiGate authentication vulnerability (CVE-2025-59718). Attackers are targeting the FortiCloud single sign-on (SSO) feature, which is not enabled by default unless the device is FortiCare-registered. Shadowserver found devices with FortiCloud SSO enabled, and CISA has ordered federal agencies to patch the vulnerability within a week. Hackers are using publicly available proof-of-concept exploit code to gain root privileges on unpatched devices. Fortinet advises disabling the FortiCloud login feature to mitigate the risk until a fully patched FortiOS release is available.

Analysis

Overview

Timestamp: 2026-01-21

Title: Exploitation of FortiGate Authentication Vulnerability CVE-2025-59718

Severity: critical

The incident involves attackers exploiting a critical FortiGate authentication vulnerability (CVE-2025-59718) to gain unauthorized access to Fortinet devices. The adversary's capability includes using publicly available exploit code to bypass authentication mechanisms. The infrastructure targeted includes FortiGate devices with FortiCloud SSO enabled, primarily affecting the technology sector. Victims are Fortinet customers with vulnerable devices, and the impact severity is critical due to potential unauthorized access and control.

Adversary

Adversary: Attackers exploiting FortiGate vulnerability CVE-2025-59718

Motivation: Unauthorized access and control

Sophistication: Medium

TTPs:

Exploitation of authentication bypass

Capability

Capability: Exploitation of FortiGate authentication vulnerability

Tools: Public proof-of-concept exploit code

Victim Profile

Targets: Fortinet customers with vulnerable FortiGate devices

Industry: Technology

Assets: FortiGate firewalls

Data at Risk: Network access credentials

Impact: Critical