Fortinet Admins Report Patched FortiGate Firewalls Getting Hacked

The CVE‑2025‑59718 flaw illustrates how a seemingly resolved vulnerability can re‑emerge when patch verification is incomplete. FortiGate firewalls rely on FortiOS to enforce authentication, yet the recent SAML‑based bypass demonstrates that attackers can still forge single sign‑on tokens, granting them admin privileges without user interaction. This vector is especially potent because FortiCloud SSO, though optional, is often left enabled for convenience, creating a wide attack surface that spans legacy and newly deployed appliances.

Enterprise security teams are now scrambling to assess exposure. Shadowserver’s scan revealed more than 25,000 FortiGate units with FortiCloud SSO active in December, a figure that has only modestly declined to roughly 11,000 still reachable online. The persistence of these devices, combined with CISA’s directive to patch within a week, underscores the regulatory urgency surrounding critical infrastructure protection. Immediate mitigations—disabling the FortiCloud SSO login and tightening SAML validation—provide a stop‑gap, but they also highlight the operational friction when vendors issue incomplete fixes.

Looking ahead, the incident may reshape how vendors approach vulnerability disclosure and patch roll‑outs. Fortinet’s rapid announcement of 7.4.11, 7.6.6, and 8.0.0 suggests a shift toward emergency releases, yet customers will demand more transparent testing and validation to avoid repeat scenarios. Organizations should adopt layered defenses, such as network segmentation and continuous monitoring of SSO logs, to reduce reliance on single‑point authentication mechanisms. In the long term, the episode reinforces the need for robust supply‑chain security practices and proactive threat‑intelligence sharing across the cybersecurity ecosystem.