Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Banner Mobile
Banner Ancharia Desktop 1 1
Fortinet FortiOS Vulnerability Exploited: CVE-2025-59718 Patch Bypass

Fortinet FortiOS Vulnerability Exploited: CVE-2025-59718 Patch Bypass

22 January 2026 08:05

Attackers are exploiting a previously patched critical FortiGate authentication flaw (CVE-2025-59718) through a patch bypass method to breach protected firewalls, as Fortinet customers are experiencing. Fortinet reportedly plans to soon release FortiOS versions 7.4.11, 7.6.6, and 8.0.0 to fully address the security vulnerability.

An affected administrator stated that the latest FortiOS release (7.4.10) does not fully address the authentication bypass vulnerability. The vulnerability was expected to be fixed with the release of FortiOS 7.4.9, scheduled for early December.

“We just had a malicious SSO on one of our FortiGates running version 7.4.9 (FGT60F). We have a SIEM that detected the creation of the local administrator account. Now, I did a little research and it looks like this is exactly what happened when someone broke in with CVE-2025-59718. But we’ve been on version 7.4.9 since December 30th,” the administrator said.

Until Fortinet provides a fully patched version of FortiOS, administrators are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to protect their systems from attacks.

“We’ve observed the same activity. Also running version 7.4.9. Same user login and IP address. A new sysadmin user named ‘helpdesk’ has been created. We have an open ticket with support. Update: The Fortinet development team has confirmed that the vulnerability persists or has not been fixed in version 7.4.10,” another added.

To disable access to FortiCloud, you need to go to System -> Settings and disable the “Allow administrative access via FortiCloud SSO” option. Alternatively, you can run the following commands from the command line interface:

Fortunately, as Fortinet explains in its original advisory, the FortiCloud Single Sign-On (SSO) feature targeted by the attacks is not enabled by default when the device is not enrolled in FortiCare, which should reduce the total number of vulnerable devices.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.