FortiGate SSO Bypass CVE-2025-59718 Exploited in Active Attacks

Executive Summary

Rapid7's Incident Response (IR) team has confirmed active exploitation of CVE-2025-59718, a critical improper verification of cryptographic signature vulnerability in FortiGate appliances that enables single sign-on (SSO) login bypass. Fortinet disclosed the flaw in December 2025, assigning a CVSS score of 9.8. According to Rapid7's investigation, attackers leveraged the vulnerability to gain persistent administrative access on a vulnerable FortiGate appliance, then maintained a low-profile presence to avoid detection. The incident underscores the urgency for organizations running unpatched FortiGate firmware to apply available updates immediately.

Technical Analysis

CVE-2025-59718 resides in FortiGate's handling of cryptographic signatures during SSO authentication flows. The flaw allows an unauthenticated attacker to forge valid authentication tokens, effectively bypassing the login mechanism and gaining administrative privileges without valid credentials. Rapid7's IR findings indicate that after initial exploitation, the threat actors executed a series of post-exploitation actions designed to establish persistence and expand access. The attackers maintained a low operational profile, suggesting a deliberate effort to avoid triggering alarms or forensic detection. While Rapid7's public disclosure does not name the specific threat actor, the pattern of behavior is consistent with advanced persistent threat (APT) groups or sophisticated cybercriminal operations that prioritize long-term access over immediate data exfiltration.

Fortinet released security advisories and firmware patches addressing CVE-2025-59718 in December 2025. The vulnerability affects multiple FortiGate versions, and Fortinet has urged customers to upgrade to patched firmware releases. As of April 2026, Rapid7's incident response engagement provides the first confirmed evidence of in-the-wild exploitation, though it is likely that other organizations have been targeted but not yet detected.

Mitigations & Recommendations

Organizations running FortiGate appliances should immediately verify their firmware version against Fortinet's advisory and apply the latest patched release if not already deployed. Defenders should audit SSO authentication logs for anomalous administrative logins, particularly those originating from unexpected IP ranges or outside normal business hours. Network segmentation should be reviewed to limit lateral movement from compromised perimeter devices. Where possible, enable multi-factor authentication (MFA) on administrative interfaces and monitor for any unauthorized configuration changes. Rapid7 recommends that organizations without evidence of compromise still treat this as a high-priority patching event given the CVSS 9.8 severity and confirmed exploitation.