What is CVE-2025-59718 in FortiGate?

SSO login bypass via bad crypto sig verification. Patch ASAP if vulnerable.

How do attackers exploit FortiGate CVE-2025-59718?

Bypass auth, gain foothold, enum creds with Mimikatz, lateral via PsExec/RDP.

How to detect FortiGate CVE-2025-59718 attacks?

Watch internal DHCP IPs authing sans VPN, anomalous enum/SMB, Mimikatz traces.

Inside the FortiGate Breach: CVE-2025-59718 Let Attackers Ghost In

Attackers cracked a FortiGate firewall via CVE-2025-59718, bypassed SSO, and prowled silently inside. Responders caught them mid-lateral move—here's the raw playbook.

CVE Watch Apr 11, 2026 3 min read

FortiGate firewall logs showing anomalous internal IP authentication during CVE-2025-59718 exploitation

⚡ Key Takeaways

Attackers used CVE-2025-59718 for stealthy SSO bypass on FortiGate, mimicking admins perfectly. 𝕏
IR timeline reconstruction via 'inside-out' from alerts revealed the edge device as entry. 𝕏
Hunt anomalous DHCP IPs and Mimikatz for detection; patch and log deeply to prevent. 𝕏

Published by

CVE Watch

Threat intelligence. Zero noise.

#CVE-2025-59718 #FortiGate #Mimikatz #SSO bypass #incident response #lateral movement

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Rapid7 Blog

⚡ Key Takeaways

The 60-Second TL;DR

CVE Watch

Share this article

Worth sharing?

Related Stories

CrowdStrike's Flex for Services: Flexible Fix or Sticky Upsell?

UNC6201 Ditches BRICKSTORM for Sneakier GRIMBOLT in Dell Zero-Day Heist

Edge Decay: Attackers Are Breaching Your 'Secure' Firewall First

Rapid7 Cracks Open Cellular IoT: No Tamper Protections on Any Tested Device

Stay in the loop