Introduction
Rapid7's recent Incident Response (IR) engagement confirms what security teams feared: CVE-2025-59718 is not just a theoretical vulnerability. It is an active avenue for initial access into enterprise environments. Disclosed by Fortinet in December 2025, this critical flaw (improper verification of cryptographic signatures) facilitates a Single Sign-On (SSO) login bypass on vulnerable FortiGate appliances.
In the analyzed incident, attackers used this bypass to gain unauthorized administrative access. Rather than ransomware immediately, the actors adopted a "low-profile" posture, systematically compromising additional edge firewalls before pivoting to internal hosts. This dwell time created a grace period, but relying on attacker lethargy is a failed strategy. Defenders must assume the perimeter is already breached and act immediately to patch, detect, and contain.
Technical Analysis
Affected Products: FortiGate secure gateways running specific vulnerable versions of FortiOS. (Reference Fortinet advisory FG-IR-25-XXX for specific build ranges).
CVE Identifier: CVE-2025-59718
Vulnerability Mechanics: The vulnerability stems from a failure in the cryptographic signature verification process during the SSO authentication handshake. By exploiting this flaw, an unauthenticated attacker can forge a valid SSO response. This bypasses standard identity provider (IdP) checks, granting the attacker administrative privileges on the FortiGate device without valid credentials.
Attack Chain (Observed in IR):
- Initial Access: External attacker sends crafted SSO request to vulnerable FortiGate -> CVE-2025-59718 exploit -> Administrative access obtained.
- Persistence: Attackers modify configuration or create local users to maintain access.
- Lateral Movement (Internal): Using the compromised firewall as a jump box, attackers scan and move to internal network hosts.
- Objective: Typically reconnaissance for data exfiltration or ransomware deployment.
Exploitation Status: CONFIRMED ACTIVE EXPLOITATION. The Rapid7 IR report provides concrete evidence of in-the-wild abuse targeting real-world environments.
Detection & Response
Given the nature of this appliance exploit, standard EDR on the firewall is unavailable. Detection relies heavily on analyzing syslog and authentication logs forwarded to your SIEM (e.g., Microsoft Sentinel) or reviewing local logs via CLI.
SIGMA Rules
---
title: Potential FortiGate SSO Login Bypass - Successful Admin Login
id: 85f2a1d0-4e9c-4b5c-9f12-1a2b3c4d5e6f
status: experimental
description: Detects successful administrative logins on FortiGate devices. While legitimate, a sudden spike or success during non-business hours for SSO logins may indicate CVE-2025-59718 exploitation.
references:
- https://www.rapid7.com/blog/post/ve-fortigate-cve-2025-59718-exploitation-incident-response-ir-findings
author: Security Arsenal
date: 2025/12/15
tags:
- attack.initial_access
- attack.t1078.004
logsource:
category: firewall
product: fortinet
detection:
selection:
action: 'login'
status: 'success'
log_subtype|contains: 'admin'
filter:
msg|contains: 'logout'
condition: selection and not filter
falsepositives:
- Legitimate administrator logins
level: medium
---
title: FortiGate Lateral Movement - Outbound Admin Connection
id: 92e3b2c1-5f0d-4a6e-8e23-2b3c4d5e6f7a
status: experimental
description: Detects outbound connections from a FortiGate management interface to internal hosts. Firewalls rarely initiate connections to internal servers; this may indicate attackers pivoting from the appliance.
references:
- https://attack.mitre.org/techniques/T1021/
author: Security Arsenal
date: 2025/12/15
tags:
- attack.lateral_movement
- attack.t1021
logsource:
category: firewall
product: fortinet
detection:
selection:
dst_ip|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
dst_port:
- 22
- 445
- 3389
- 5985
- 5986
direction: 'outbound'
condition: selection
falsepositives:
- Legitimate management traffic to internal jump servers (rare)
level: high
KQL (Microsoft Sentinel)
// Hunt for successful admin logins on FortiGate devices
// Look specifically for logins where the user is not a known local admin or occurs via SSO mechanisms without preceding IdP logs
Syslog
| where DeviceVendor == "Fortinet"
| where Facility contains " FortiGate "
| parse SyslogMessage with * "action=" Action: "," * "msg=" Message: "," * "log_subtype=" SubType: "," *
| where Action == "login"
| where Message contains "success"
| where SubType contains "admin"
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, Action, Message, SubType
| order by TimeGenerated desc
// Detect potential lateral movement from the Firewall itself
// Firewall initiating connections to internal hosts is highly suspicious
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceAction in ("accept", "accepted")
| where DestinationPort in (22, 445, 3389, 5985, 5986) // SSH, SMB, RDP, WinRM
| ipv4_is_in_range(SourceIP, "10.0.0.0/8") or ipv4_is_in_range(SourceIP, "192.168.0.0/16") or ipv4_is_in_range(SourceIP, "172.16.0.0/12")
| where DeviceAddress matches regex @"^\d+\.\d+\.\d+\.\d+$" // Ensure device IP exists
| extend IsFirewallSource = iff(SourceIP == DeviceAddress, "True", "False")
| where IsFirewallSource == "True"
| project TimeGenerated, DeviceProduct, SourceIP, DestinationIP, DestinationPort, DeviceAction
Velociraptor VQL
This VQL artifact is designed to run on internal endpoints (Windows/Linux) to hunt for active connections established from the compromised FortiGate firewall IP address.
-- Hunt for established connections from the compromised FortiGate IP
-- Replace '192.168.1.1' with your Firewall's internal management IP
SELECT State, RemoteAddress, RemotePort, Pid, ProcessName, Username, StartTime
FROM netstat()
WHERE State == 'ESTABLISHED'
AND RemoteAddress == '192.168.1.1'
Remediation Script (Bash)
Run this script on FortiGate devices in CLI mode to disable SSO immediately as a temporary mitigation, or verify the patch status.
#!/bin/bash
# FortiGate CVE-2025-59718 Emergency Hardening
# Use in FortiGate CLI (enable shell if required to run script, otherwise run commands manually)
# 1. Check Current Firmware Version
echo "Checking Firmware Version..."
get system status | grep Version
# 2. Emergency Mitigation: Disable SSO if patch cannot be applied immediately
# WARNING: This will disrupt SSO login for administrators
config system sso
set status disable
end
echo "SSO Disabled. Check logs for suspicious login attempts."
# 3. Force logout of all admin sessions (Optional, high impact)
execute admin logout-all-users
Remediation
- Patch Immediately: Apply the Fortinet security patches referenced in the advisory for CVE-2025-59718. Ensure build versions are updated to the latest recommended release.
- Verify Configuration: Post-patch, re-enable SSO only if strictly necessary. Prefer local admin accounts with MFA over SSO for critical infrastructure management where possible.
- Credential Reset: Assume all administrative credentials were exposed. Rotate all firewall admin passwords and API tokens immediately.
- Log Audit: Conduct a thorough review of FortiGate logs dating back at least 30 days. Look for:
- Successful admin logins at unusual times.
- Logins from geographically impossible locations.
- Configuration changes (e.g., new VPN users, policy modifications) that cannot be attributed to change tickets.
- Network Segmentation: Ensure management interfaces of firewalls are not accessible from the internet. Restrict access to specific internal subnets (Jump hosts) only.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.