Listen to this Post

Introduction:
A critical vulnerability pair in Fortinet FortiGate firewalls (CVE-2025-59718 and CVE-2025-59719) is being actively exploited in automated attacks, allowing threat actors to create administrative users, enable VPN access, and exfiltrate full configuration files within seconds. This flaw, centered on the FortiCloud Single Sign-On (SSO) feature, underscores the severe risks inherent in exposed administrative interfaces and the rapid weaponization of new vulnerabilities in critical network perimeter devices.
Learning Objectives:
- Understand the mechanism behind the FortiGate SSO authentication bypass and privilege escalation vulnerabilities.
- Learn immediate mitigation steps, including CLI commands to disable the vulnerable features and audit for compromise.
- Develop a hardening checklist for FortiGate and similar network appliances to prevent future exploitation.
You Should Know:
- The Anatomy of the Attack: CVE-2025-59718 & CVE-2025-59719
The exploit chain targets firewalls with the FortiCloud SSO feature enabled, even if not actively used. CVE-2025-59719 is an authentication bypass flaw that allows an unauthenticated, remote attacker to gain an initial foothold. CVE-2025-59718 is a subsequent privilege escalation vulnerability that enables the attacker to elevate access to a super_admin role. With this level of access, the attacker can instantly create new local admin accounts, enable VPN (SSL-VPN or IPsec) access for them, and export the firewall’s complete configuration—a blueprint of your network security.
Step-by-step guide explaining what this does and how to use it:
1. Reconnaissance: Attackers scan the internet for FortiGate devices with port 9443 (or other admin interfaces) accessible.
2. Initial Exploitation: They send a specially crafted HTTP request to exploit CVE-2025-59719, bypassing authentication checks related to the FortiCloud SSO service.
3. Privilege Escalation: Using the gained session, they trigger CVE-2025-59718 to modify their privileges to the highest administrative level.
4. Persistence & Exfiltration: The attacker then executes a rapid sequence of commands:
config system admin: Add a new persistent administrator user.
`config vpn ssl web portal` or config user local: Enable VPN access for the new account.
show full-configuration: Export the entire firewall config for later analysis and lateral movement planning.
2. Immediate Mitigation: Disabling FortiCloud SSO via CLI
The primary mitigation is to disable the FortiCloud SSO feature. This is most reliably done through the FortiGate Command Line Interface (CLI), as GUI access may be unstable if under attack.
Step-by-step guide explaining what this does and how to use it:
1. Access your FortiGate CLI via SSH or the console port.
2. Enter the following commands in global configuration mode:
config system global set admin-https-redirect disable set admin-forticloud-sso-default enable set admin-forticloud-sso [disable | enable] end
Explanation: The `admin-forticloud-sso` setting is the main switch. Disabling it stops the vulnerable authentication flow. Disabling `admin-https-redirect` ensures management access remains on a dedicated port. The `set admin-forticloud-sso-default enable` command is part of Fortinet’s recommended fix to enforce local authentication as the default.
3. Verify the settings: `show system global | grep admin-`
3. Patching and Version Management
Fortinet has released patches. Immediately upgrade to a fixed firmware version. Do not rely solely on workarounds.
Step-by-step guide explaining what this does and how to use it:
1. Identify Your Version: In CLI, run get system status.
2. Check Fortinet’s Advisory: Refer to the official advisory (linked in the original post: https://lnkd.in/gYUSGeBs) for the exact fixed versions for your train (e.g., 7.4.9, 7.2.10, etc.). Note: Some comments indicate 7.4.8 is the recommended stable version, but you must apply the version that specifically addresses these CVEs.
3. Download & Install: Download the firmware from the Fortinet Support Portal. Upload it via GUI (System > Firmware) or CLI using execute restore image.
4. Schedule a Maintenance Window: Patching firewalls requires a reboot. Plan accordingly but act urgently.
4. Forensic Audit: Hunting for Compromise
Assume compromise and audit your device. Look for anomalous users, VPN configurations, and configuration changes.
Step-by-step guide explaining what this does and how to use it:
1. List All Admin Users: `config system admin` then show. Scrutinize every entry, especially newly created or recently modified accounts.
2. Review Local Users: `config user local` then show. Check for unknown users added to VPN groups.
3. Audit VPN Settings: `config vpn ssl web portal` then show. Look for unauthorized changes to allowed user groups or IP ranges.
4. Check System Logs for Exfiltration: In the GUI, navigate to Log & Report > System Events. Filter for logs containing `show full-configuration` or `show` commands executed by admin users around the time of the suspected breach. In CLI, you can use: `execute log filter category 0` and execute log display.
5. Network Hardening: Restricting Management Access
Prevent initial access by following the principle of least privilege for management interfaces.
Step-by-step guide explaining what this does and how to use it:
1. Implement Access Control Lists (ACLs):
config system interface edit "port1" config management-access-ip edit 1 set ipv4-address <Your_Management_Station_IP>/32 next end next end
This restricts HTTPS/SSH management access to a specific, trusted source IP.
2. Change Default Ports: Consider changing the default management ports (443, 9443, 22) to non-standard ones.
3. Enable Multi-Factor Authentication (MFA): Enforce MFA for all administrative accounts. Do not rely on password-only authentication.
6. Cloud-Hardening for Hybrid Deployments
For firewalls managed via FortiManager or exposed in cloud environments (AWS, Azure, GCP), additional layers are needed.
Step-by-step guide explaining what this does and how to use it:
1. Leverage Security Groups/NSGs: In AWS or Azure, configure security groups or network security groups to allow management traffic only from jump boxes or specific IP ranges. A sample AWS CLI command to revoke public access:
`aws ec2 revoke-security-group-ingress –group-id sg-xxx –protocol tcp –port 9443 –cidr 0.0.0.0/0`
2. FortiManager Policy Enforcement: Use FortiManager to centrally push the SSO-disable configuration and audit policies across all managed devices, ensuring consistency.
7. Building an Automated Response Playbook
Prepare for the next critical vulnerability by automating key detection and response steps.
Step-by-step guide explaining what this does and how to use it:
1. SIEM/SOAR Integration: Create alerts for logs containing `”action=execute”` and "cmd=show full-configuration".
2. Automated Containment Script: Develop a safe, approved script that can be triggered by your SOAR platform to temporarily block an attacking IP at the infrastructure level (e.g., using AWS WAF or an external firewall). Example snippet for an edge device:
`iptables -A INPUT -s -j DROP`
- Configuration Backup & Drift Detection: Use automated tools (like RANCID or oxidized) to frequently backup configurations and alert on unauthorized changes.
What Undercode Say:
- The Perimeter is Fragile: This exploit demonstrates that the network firewall, the very device trusted to secure the perimeter, can become the single point of catastrophic failure if its management plane is compromised.
- Speed is the New Weapon: The “within seconds” timeline highlights that manual patching cycles are obsolete. Defense now requires automated detection, immediate mitigation via pre-defined hardening, and an assumption that critical vulnerabilities will be exploited before most teams can even read the advisory.
The analysis reveals a deeper industry issue: the complexity of network appliances, with features like cloud SSO enabled by default, vastly expands the attack surface. While Fortinet provided patches, the operational cost and expertise required for timely response is overwhelming for many organizations, leading to extended windows of exposure. This incident is less about a single vendor’s flaw and more about the unsustainable model of reactive, manual security maintenance for critical infrastructure.
Prediction:
This attack pattern will accelerate the shift towards Zero Trust Network Access (ZTNA) and cloud-native firewalling. As traditional VPNs and perimeter firewall management interfaces continue to be prime targets, organizations will increasingly adopt agent-based access solutions that do not require opening inbound ports on firewalls. Furthermore, expect regulatory bodies to start mandating stricter benchmarks for secure default configurations on network devices, potentially holding vendors to a higher standard for “secure-by-default” settings, moving beyond the current “patch-after-disclosure” model. The era of the internet-exposed firewall admin interface is coming to a forced end.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


