Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving exploitation of CVE-2025-59718 against a vulnerable FortiGate appliance. In December 2025, Fortinet disclosed this improper verification of cryptographic signature vulnerability that facilitates an SSO login bypass on affected appliances. After the initial exploitation, the attackers maintained a low-profile posture, systematically compromising additional firewalls before moving to internal network hosts. Ultimately, this grace period allowed responders to contain the threat before further impact could occur within the environment. This blog details exploitation insights, attack progression, and practical detection opportunities for defenders handling their own environments.
Investigative methodology: Tracing the initial access vector in FortiGate appliances
Identifying the Initial Access Vector (IAV) is a cornerstone of any incident response engagement. However, when the source of compromise is not immediately obvious, particularly when edge device exploitation is involved, responders often need to take a broader investigative approach. Rather than starting with a clear point of entry, investigators must analyze the available telemetry, reconstruct attacker activity, and work backwards to determine how access was first obtained.
This process often involves multiple investigative workstreams running in parallel, each designed to answer different questions about the intrusion. As many IR responders and enthusiasts know, the first suspicious event observed during an investigation is rarely the first action taken by the attacker. Instead, it typically represents a point somewhere in the middle of a larger attack chain.
A key step in incident response investigations is reconstructing the attacker timeline. Responders often take an “inside out” approach where they move outward from the initial alert to the full scope of the malicious activity (IAV), correlating multiple data sources to map the unfolding of the event. This process involves examining authentication logs, endpoint telemetry, firewall events, and records of system changes, rather than depending on just one log source. It also typically requires frequent pivoting between artifacts as investigations rarely ever unfold in a linear fashion. By aligning these findings and events chronologically, investigators often identify activity that predates the initial alert.
CVE-2025-59718: Technical analysis and observed attacker behavior
The first activity that drew attention was enumeration and credential discovery within the internal environment. This basic enumeration included gathering information about users, systems, and accessible resources within common user directories. This activity eventually expanded to SMB-based file scraping and network share access, allowing attackers to review files stored across the environment. While this behavior resembled routine administration, the chronological sequence of file scraping and network share access painted a clear picture of an attacker’s initial discovery phase.
Digging deeper into the credential discovery activity, the popular tool Mimikatz was utilized to harvest credentials from various sources within the impacted environment. The attacker’s objective was to obtain valid credentials to an elevated admin account with the goal to blend in.
With credentials in hand and mimicking admin activity to disguise their actions, the attacker was then enabled to move laterally throughout the environment using common administrative tools and access methods. PsExec and Microsoft Remote Desktop (RDP) were two tools utilized for lateral movement while standard web browsers facilitated application access.
Attackers appeared particularly interested in systems that could provide broader access to the environment, including virtualization platforms, domain controllers, and servers supporting backup infrastructure. These systems often represent high-value targets for attackers seeking to escalate privileges, access sensitive data, or disrupt recovery capabilities.
Responders were working simultaneously to contain the attacker while building the narrative to cut them off at the source. With the current understanding of the narrative, the IAV puzzle began to unravel as more information came to light. Strangely, the first authentication into the Windows environment originated from an internal IP address that did not align with the known internal IP address ranges. It turns out, this internal IP address fell within the DHCP lease range of the FortiGate device. At first glance, this could be written off as legitimate VPN activity. However, to create even more questions, it was revealed that the FortiGate SSL VPN was never turned on within this environment. This revelation made the FortiGate device a prime suspect for IAV.
Taking a closer look at the FortiGate device, specifically system logs and configuration data, revealed early indications that the device had been modified to support continued access. The SSL VPN component had been enabled, and multiple configuration changes were identified, including edits to VPN settings, the creation of new firewall policies, and adjustments to configuration parameters. These changes appeared in FortiGate system logs as configuration updates similar to the following:
logid="0100044546" type="event" subtype="system" level="information"
vd="root" logdesc="Attribute configured" user="admins"
ui="GUI(45.32.216[.]250)" action="Edit" cfgpath="vpn.ssl.settings"
msg="Edit vpn.ssl.settings"
⠀
logid="0100044547" type="event" subtype="system" level="information"
vd="root" logdesc="Object attribute configured" user="admins"
ui="GUI(45.32.216[.]250)" action="Add" cfgpath="firewall.policy"
cfgobj="XX" msg="Add firewall.policy"
⠀
While these types of changes may seem routine in isolation, it is the combination and timing of these actions that raises concerns from a responder's perspective. The investigation's next key clue was identified when the source of these changes was traced back to a newly created account.
Following this thread further, investigators identified that multiple accounts had been created on the device, including SSO administrator, system administrator, and local accounts. Several of these accounts were associated with email domains attributed to Namecheap-hosted infrastructure, including domains such as openmail[.]pro. Notably, some of the newly created SSO administrator accounts were linked to forticloud.com domains as reflected in log entries such as:
Object attribute configured(Add system.sso-forticloud-admin@forticloud.com-1)
⠀
For responders, the creation of multiple new administrative accounts is often a strong indicator of persistence being established. Continuing to work backwards through the timeline, investigators identified that prior to these account creation events, the device’s configuration file was downloaded through the FortiGate UI. From an investigative perspective, configuration exports are highly valuable to attackers because they effectively serve as a blueprint of the environment, exposing network architecture, authentication mechanisms/settings, device relationships, and occasionally, sensitive credentials.
logid="0100032095" type="event" subtype="system" level="warning"
vd="root" logdesc="Admin performed an action from GUI" user="admin"
ui="GUI(104.28.227[.]105)" action="download" status="success"
msg="System config file has been downloaded by user admin via GUI(104.28.227[.]105)"
⠀
The session associated with the configuration download was established from an external IP address flagged as “malicious” by security vendors with a local account already present on the device. All of these new findings from the attacker’s actions can now be utilized as IOCs to scope available FortiGate logs to determine any other leads.
By correlating activity with the known malicious IP addresses, investigators identified the true entry point: administrative SSO logins to the FortiGate appliance with valid accounts. Another important detail was that there was no evidence of brute-forcing activity for these local accounts. The initial access was established approximately two weeks before any subsequent malicious activity, indicating the attacker used this time to secure consistent access to the environment via the FortiGate device.
Actions such as changing configurations, creating accounts, and downloading configurations might seem harmless individually. However, when viewed together, these activities established a clear pattern consistent with the exploitation of CVE-2025-59718 that facilitated authentication bypass.
Once this groundwork was established through persistence mechanisms and discovery, attackers began authenticating into the environment with their newly created accounts via the SSL VPN connections that led us to investigate the FortiGate device in the first place. These sessions effectively transformed the firewall into an ingress point into the internal network, allowing attackers to move beyond the edge device.
This investigation highlights a common reality in incident response where the first indicator of suspicious activity is rarely the beginning of the story. Instead, responders are often working from a point somewhere in the middle, tasked with reconstructing attacker behavior and peeling back layers of activity to uncover how access was first obtained.
By following the digital breadcrumbs left behind within available evidence sources, investigators were able to trace the intrusion back to its origin. This process emphasizes the importance of working backward through artifacts and telemetry, recognizing that each piece of data may lead to an earlier stage of attacker activity.
Network edge devices such as firewalls and VPN appliances are often the main vectors of initial access. Despite being critical infrastructure in modern environments, full visibility is rarely achieved in comparison to monitored endpoints. These edge devices can provide valuable evidence during investigations and reveal how initial access went unnoticed.
Conclusion: Key takeaways for defenders
The human element of investigation is crucial. Effective investigations demand a mindset of curiosity; on one side the willingness to dig deeper, and on the other, the ability to look at the big picture. At face value these can seem contradictory, but each facilitates a specific role within an incident response investigation.
Curiosity is what drives responders to grapple with the initial evidence, question assumptions, and identify which threads are worth pulling. It allows responders to move beyond surface-level observations and begin forming hypotheses about what may have occurred. The willingness to dive deeper is what turns those hypotheses into answers. Rather than stopping at the first suspicious event, responders must continue pivoting across logs, correlating activity, and tracing actions further back in time. At the same time, maintaining a big-picture perspective is critical. Individual artifacts or events may appear benign in isolation but when viewed chronologically the attacker behavior emerges.
Looking past any specific incident response methodology, visibility into the environment is essential. Even the strongest investigative approach is limited without access to the right telemetry, thus preventing responders from fully reconstructing an intrusion. In particular, as seen within this investigation, visibility into edge device activity can play a crucial role in unraveling IAV. The network edge is a hostile environment yet is frequently less monitored.
As is often the case with externally facing services and devices, the network edge is constantly targeted. Due to the sheer volume of persistent targeting, this environment can prove difficult to monitor for successful malicious intrusions. Implementing centralized syslog monitoring across these edge devices can close these visibility gaps. It can provide a real-time audit trail of connection attempts, configuration changes, and potential exploit signatures that occur before a threat reaches the internal network.
By effectively pulling on each investigative thread and ensuring visibility across both internal systems and edge devices, defenders can uncover compromises that might otherwise remain hidden. Often, the path to the beginning of the intrusion is already present; it simply requires knowing where, and how, to look.
Detection coverage for Rapid7 customers
Rapid7 actively monitors for emerging threats and leverages evidence from incident response engagements to develop new detection capabilities. Detections have been created and implemented by Rapid7 to pinpoint both exploitation attempts and post-exploitation activities related to FortiGate CVE-2025-59718. For InsightIDR and MDR customers, these detections alert on attacker activity consistent with the techniques described in this blog, enabling earlier identification and response before an intrusion can escalate further.
Detections:
Potential Exploitation - FortiGate Admin SSO Login and Config Download via External IP
Exfiltration - FortiGate Config Downloaded Using GUI via External IP
Suspicious Authentication - FortiGate SSO Login via External IP
Mitigation guidance
Please refer to our initial blog from December, 2025.
MITRE ATT&CK Techniques
Tactic | Technique | Details |
Initial Access | Exploit Public-Facing Application (T1190) | Exploitation of vulnerability CVE-2025-59718 on FortiGate firewalls. |
Persistence | Create Account (T1136) | Creation of local accounts on FortiGate firewalls. |
Persistence and Initial Access | Valid Accounts (T1078) | Use of created accounts and compromised accounts for SSL VPN and RDP authentication. |
Defense Evasion | Impair Defenses (T1562) | Firewall rules added to allow for attacker access. |
Credential Access | OS Credential Dumping (T1003) | Execution of Mimikatz targeting the local system and Windows Registry hives containing credentials. |
Discovery | System Network Configuration Discovery (T1016) | Download of FortiGate firewall configuration files containing sensitive networking information. |
Discovery | Network Service Scanning (T1046) | Execution of network scanning tools such as Advanced_Port_Scanner to scan internal IP addresses over SMB protocol. |
Lateral Movement | Remote Services (T1021) | Use of Remote Desktop Protocol (RDP). |
Execution | Service Execution (T1569.002) | Remote execution of the sysinternals tool PsExec to test credentials against an impacted system. |
Indicators of compromise (IOCs)
IOC | Description |
Advanced_IP_Scanner_2.5.4594.1.exe | Advanced IP Scanner tool utilized by the attacker. |
advanced_ip_scanner.exe | Advanced IP Scanner tool utilized by the attacker. |
mimikatz.exe | An open-source post-exploitation tool utilized by the attacker to extract sensitive authentication credentials. |
Advanced_port_scanner_2.5.3869.exe | An open-source network utility utilized by the attacker to quickly map active devices and identify open ports. |
23.163.8[.]21 | Attacker IP address that targeted FortiGate device. |
45.32.216[.]250 | IP address used by the attacker during FortiGate configuration changes. |
45.84.107[.]17 | IP address identified in malicious interaction with SSLVPN. |
45.80.186[.]84 | IP address identified in malicious interaction with SSLVPN. |
185.219.157[.]127 | IP address identified in malicious interaction with SSLVPN. |
185.175.59[.]238 | IP address identified in malicious interaction with SSLVPN. |
198.98.54[.]209 | Attacker IP address that targeted FortiGate device and SSO login. |
45.80.184[.]229 | Attacker IP address that targeted FortiGate device and SSLVPN. |
45.80.184[.]241 | Attacker IP address that targeted FortiGate device and SSLVPN. |
42.200.230[.]178 | Attacker IP address that targeted FortiGate device and SSLVPN. |
103.20.235[.]155 | IP address identified in malicious authentications to SSO login. |
104.28.227[.]105 | IP address identified in attacker download of FortiGate configuration file. |
FortiGate CVE-2025-59718 Exploitation: Incident Response Findings
Source: Rapid7
Source Link: https://www.rapid7.com/blog/post/ve-fortigate-cve-2025-59718-exploitation-incident-response-ir-findings