A critical security vulnerability within Fortinet’s Single Sign-On (SSO) feature is being actively exploited, enabling threat actors to silently create unauthorized administrator accounts and seize full control of FortiGate firewalls. This flaw, identified as CVE-2025-59718, specifically targets internet-exposed devices that use the FortiCloud SSO login mechanism, a common configuration for centralized management. Over the past several weeks, multiple organizations have reported strikingly similar attack patterns, prompting an urgent forensic investigation by Fortinet’s Product Security Incident Response Team (PSIRT). The persistence of this vulnerability in certain unpatched versions raises significant concerns for enterprises worldwide, as attackers are leveraging it to establish a persistent foothold within compromised networks.
1. The Anatomy of the SSO Exploit
The vulnerability, tracked as CVE-2025-59718, is centered on a flaw within the FortiCloud SSO login mechanism embedded in FortiOS, which allows a remote, unauthenticated attacker to circumvent authentication controls through specially crafted SSO login attempts. Once the vulnerability is successfully exploited, the threat actor can escalate their privileges and create a new backdoor administrator account, which in most observed cases has been named “helpdesk” and granted full system access. This gives the attacker the same level of control as a legitimate administrator, enabling them to alter firewall rules, monitor traffic, and disable security features. The attack vector is particularly dangerous because it targets firewalls that use either Security Assertion Markup Language (SAML) or FortiCloud SSO for administrative authentication and are accessible from the public internet. While Fortinet has not yet published an official Common Vulnerability Scoring System (CVSS) score, active, real-world exploitation confirms its critical severity.
Initial reports of this exploitation campaign surfaced on public forums where security professionals began sharing their findings. One user detailed an incident on a FortiGate 7.4.9 device where a single malicious SSO login attempt from a specific IP address automatically triggered the creation of a local administrator account. This unauthorized activity was first detected through Security Information and Event Management (SIEM) alerts configured to monitor changes to privileged accounts. Another organization using SAML for authentication confirmed the sudden appearance of the same suspicious “helpdesk” account in its system logs, corroborating the attack pattern. The timeline of these incidents, which began emerging in late December 2025, helps narrow the scope to more recent firmware versions. According to Fortinet’s development team, the vulnerability remains unpatched in the current 7.4.10 release, with fixes being actively developed for upcoming versions, underscoring the ongoing risk to unmitigated systems.
2. Mitigation and Proactive Defense Strategies
In response to the active exploitation, Fortinet has released an urgent workaround that allows administrators to immediately block the SSO attack vector. This mitigation involves disabling FortiCloud SSO logins directly through the command-line interface (CLI) using a specific command sequence: config system global, followed by set admin-forticloud-sso-login disable, and finalizing with end. Executing this command effectively prevents SSO-based attacks without disrupting local administrative authentication or other SAML configurations, providing a crucial stopgap measure until a permanent patch can be applied. Once the official firmware updates are released and installed, this setting can be safely re-enabled. Given that the Shadowserver Foundation discovered over 25,000 publicly accessible Fortinet devices with FortiCloud SSO enabled in mid-December 2025, the attack surface remains substantial, making the implementation of this temporary fix a high-priority action for all potentially affected organizations.
Beyond the immediate workaround, organizations must adopt a multilayered defense strategy to protect against this and future threats. A thorough audit of system logs is the first critical step; security teams should meticulously review logs for any suspicious SSO login attempts and search for unauthorized administrator accounts, paying special attention to the “helpdesk” username or any other unfamiliar privileged accounts. Simultaneously, reinforcing network segmentation by restricting administrative access to FortiGate devices from the internet and enforcing strict Local-In firewall policies can significantly reduce exposure. Furthermore, configuring SIEM monitoring to generate immediate alerts for any administrator account changes and to correlate suspicious login attempts from matching IP addresses provides an essential layer of real-time visibility. Finally, organizations should prepare a detailed patch management plan to upgrade to the fixed firmware versions—such as the scheduled 7.4.11 and 7.6.6 releases—as soon as they become available, ensuring that updates are tested in a staging environment first to prevent operational disruptions.
A Conclusive Review of the Incident
This widespread exploitation of a Fortinet SSO vulnerability serves as a stark reminder of the inherent risks associated with internet-exposed management interfaces on critical network security appliances. The coordinated nature of the attacks, which consistently created a backdoor “helpdesk” account, suggests a well-organized threat actor is systematically targeting unpatched FortiGate devices. The incident underscores the importance of diligent security practices, including the principle of least functionality—disabling unused features like SSO when not essential—and maintaining rigorous monitoring and alerting. Organizations that implemented the recommended workarounds and prepared for rapid patching were best positioned to mitigate the threat. The event prompted a broader industry conversation about the security of authentication mechanisms and reinforced the necessity of proactive incident response planning, ensuring that if a compromise is suspected, teams can immediately rotate credentials, isolate affected devices, and engage forensic experts to understand the full scope of the breach.
