Introduction
In December 2025, Fortinet disclosed CVE-2025-59718, a critical vulnerability affecting FortiGate secure appliances. This flaw involves improper verification of cryptographic signatures, which facilitates a Single Sign-On (SSO) login bypass. Security Arsenal has analyzed the incident response findings from Rapid7, which confirmed active exploitation of this vulnerability in the wild. Attackers are leveraging this bug to gain unauthorized administrative access, moving laterally to compromise additional firewalls before pivoting to internal network hosts. Defenders must treat this as an active threat to their perimeter integrity and prioritize immediate patching and hunting.
Technical Analysis
- Affected Products: FortiGate next-generation firewalls (firmware versions associated with CVE-2025-59718).
- CVE Identifier: CVE-2025-59718.
- Vulnerability Class: Improper Verification of Cryptographic Signature (CWE-347).
- Mechanism: The vulnerability allows an attacker to bypass the SSO authentication mechanism. By tampering with or forging the cryptographic signature verification process, an unauthenticated actor can impersonate a valid user and gain administrative access to the FortiGate interface.
- Attack Chain:
- Initial Access: External actor exploits CVE-2025-59718 to bypass SSO and gain admin access to the perimeter FortiGate.
- Persistence/Discovery: Attackers maintain a "low-profile" posture, avoiding loud configuration changes initially to evade detection.
- Lateral Movement: The actor systematically compromises additional FortiGate appliances within the environment using the same mechanism or stolen credentials.
- Objective: Pivot from the firewall layer to internal network hosts for data exfiltration or ransomware deployment.
- Exploitation Status: Confirmed Active Exploitation. Rapid7's IR engagement observed this specific TTP used to breach a client environment.
Detection & Response
The following detection rules and queries are designed to identify successful SSO logins that may be bypass attempts and subsequent lateral movement from compromised firewalls.
SIGMA Rules
YAML
---
title: FortiGate SSO Admin Login Bypass Attempt
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential successful SSO login bypass on FortiGate appliances. Rapid7 IR noted attackers use this to gain admin access. Monitor for successful admin logins via SSO from external sources.
references:
- https://www.rapid7.com/blog/post/ve-fortigate-cve-2025-59718-exploitation-incident-response-ir-findings
author: Security Arsenal
date: 2026/01/15
tags:
- attack.initial_access
- attack.t1078
logsource:
product: fortinet
category: firewall
detection:
selection:
type: 'utm'
subtype: 'admin'
action: 'login'
result: 'success'
method|contains: 'sso'
filter:
srcip|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter
falsepositives:
- Legitimate remote administrator logging in via SSO
level: high
---
title: FortiGate Configuration Change Following Admin Access
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects configuration changes on FortiGate appliances, which often occur immediately after an attacker gains administrative access via CVE-2025-59718.
references:
- https://www.rapid7.com/blog/post/ve-fortigate-cve-2025-59718-exploitation-incident-response-ir-findings
author: Security Arsenal
date: 2026/01/15
tags:
- attack.persistence
- attack.t1562
definition:
condition: selection
selection:
type: 'utm'
subtype: 'configuration'
action: 'modified'
loglevel|contains: 'notice'
falsepositives:
- Authorized administrative changes
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for successful FortiGate admin logins via SSO from external IPs
// This indicates potential exploitation of CVE-2025-59718
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID == "admin" // or specific logid for admin login
| where Activity contains "login"
| where AdditionalExtensions contains "sso"
| where DestinationPort == 443 or DestinationPort == 80
| extend LogSeverity = coalesce(column_ifexists("Severity", ""), "")
| where LogSeverity =~ "information" or LogSeverity =~ "info"
| project TimeGenerated, SourceIP, DestinationIP, DeviceAction, Activity, Message
| order by TimeGenerated desc
Velociraptor VQL
The Rapid7 report indicates attackers moved to internal network hosts. This VQL artifact hunts for suspicious processes commonly used in lateral movement originating from hosts that may have received a pivot from the compromised firewall.
VQL — Velociraptor
-- Hunt for lateral movement tools on internal endpoints
-- Post-exploitation of FortiGate often leads to SMB/WinRM usage
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
StartTime
FROM pslist()
WHERE Name IN ('powershell.exe', 'cmd.exe', 'wmic.exe', 'psexec.exe', 'wmiexec.exe')
AND (
CommandLine =~ 'Invoke-Command' OR
CommandLine =~ 'New-PSSession' OR
CommandLine =~ '\\\\\*' OR
CommandLine =~ '/node:'
)
Remediation Script (Bash)
The following script can be used by administrators to verify if their FortiGate devices are running a vulnerable version via the API and to check for immediate indicators of compromise (IOCs) such as strange admin logins. Note: This requires API access enabled on the FortiGate.
Bash / Shell
#!/bin/bash
# FortiGate CVE-2025-59718 Remote Check Script
# Requires: curl, jq
# Usage: ./check_fortigate.sh <FGT_IP> <API_TOKEN>
FGT_IP="$1"
API_TOKEN="$2"
if [ -z "$FGT_IP" ] || [ -z "$API_TOKEN" ]; then
echo "Usage: $0 <FGT_IP> <API_TOKEN>"
exit 1
fi
# Check Firmware Version
echo "Checking firmware version for $FGT_IP..."
VERSION=$(curl -k -s "https://${FGT_IP}/api/v2/cmdb/system/status" \
-H "Authorization: Bearer $API_TOKEN" \
| jq -r '.results.Firmware Version')
echo "Current Version: $VERSION"
# Note: Replace 'v7.2.0' with actual patched version from Fortinet advisory
# This is a placeholder logic for version comparison
if [[ "$VERSION" < "v7.2.10" ]]; then
echo "[ALERT] Firmware version appears vulnerable. Review patch advisory immediately."
else
echo "[INFO] Firmware version appears patched (verify against official advisory)."
fi
# Check for recent admin logins (Last 100 entries)
echo "Checking for recent admin logins..."
curl -k -s "https://${FGT_IP}/api/v2/monitor/firewall/log" \
-H "Authorization: Bearer $API_TOKEN" \
-d "access_token=$API_TOKEN" \
-d "type=utm" \
-d "subtype=admin" \
-d "num=100" \
| jq -r '.results[] | select(.action=="login") | "\(.timestamp) - User: \(.user) - SrcIP: \(.srcip) - Method: \(.method)"'
echo "Check complete. If you see unexpected 'sso' logins or external srcip, investigate immediately."
Remediation
- Patch Immediately: Apply the relevant security updates released by Fortinet for CVE-2025-59718. Do not wait. Verify the patch level matches the specific advisory for your firmware train (e.g., 7.0, 7.2, 7.4).
- Review Admin Logs: Conduct a thorough audit of firewall admin logs for the past 30 days. Look for successful SSO logins from unfamiliar external IP addresses or logins occurring at unusual times.
- Reset Credentials: If you suspect exploitation, assume administrative credentials have been compromised. Rotate all admin passwords and reset SSO integration secrets (e.g., SAML certificates, OAuth tokens).
- Network Segmentation: Verify that strict segmentation is enforced. Ensure that the firewall management interfaces (HTTPS/SSH) are not accessible from the internet unless absolutely necessary, and if they are, restrict access via VPN or allow-listed IPs.
- Official Advisory: Refer to the Fortinet Security Advisory for CVE-2025-59718 for the complete list of fixed versions and upgrade paths.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
socmdrmanaged-socdetectionfortinetcve-2025-59718fortigatesso-bypass
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.