Critical Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet has disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products. These flaws stem from improper verification of cryptographic signatures in the FortiCloud SSO login feature, allowing unauthenticated attackers to bypass authentication by sending crafted SAML response messages. The vulnerabilities are remotely exploitable and impact a wide range of product versions, but the FortiCloud SSO login is not enabled by default unless the device is registered to FortiCare and the feature is explicitly activated.
Administrators are strongly advised to disable the FortiCloud SSO login feature if enabled and to apply the latest security updates provided by Fortinet. Additional mitigations include using the device's GUI or CLI to turn off administrative login via FortiCloud SSO. Fortinet also addressed other vulnerabilities in the same advisory, but the authentication bypass flaws pose the most immediate risk due to their critical severity and potential for exploitation in the wild. Organizations should prioritize patching and review their FortiCloud SSO configurations to reduce exposure.
Timeline
Dec 9, 2025
Government cyber defenders urge organizations to patch
On 2025-12-09, the Canadian Centre for Cyber Security highlighted Fortinet's advisories and urged users and administrators to review them and apply the necessary updates. The alert emphasized the risk of authentication bypass and stated that no active exploitation had been reported as of that date.
Dec 9, 2025
Fortinet issues mitigation guidance for affected administrators
Alongside the patches, Fortinet advised administrators to apply updates immediately, review FortiCloud SSO settings, and disable FortiCloud SSO login until systems are updated. Advisories also noted additional fixes for CVE-2025-59808 and CVE-2025-64471.
Dec 9, 2025
Fortinet discloses and patches FortiCloud SSO auth bypass flaws
On 2025-12-09, Fortinet released security advisories and patches for critical vulnerabilities CVE-2025-59718 and CVE-2025-59719 affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. The flaws allow FortiCloud SSO authentication bypass via crafted SAML messages when the FortiCloud SSO login feature is enabled.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Sources
Related Stories
Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet disclosed two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws allow unauthenticated attackers to bypass FortiCloud SSO login authentication by sending crafted SAML messages if the FortiCloud SSO feature is enabled. The vulnerabilities are not exploitable by default, but become active when devices are registered to FortiCare with administrative SSO enabled, increasing the risk for organizations that have enabled this feature. No exploitation in the wild or public proof-of-concept code has been reported as of the latest advisories, but security experts warn that threat actors are likely to target these vulnerabilities for initial access in the future. Fortinet and security researchers strongly recommend immediate upgrades to the latest fixed versions for all affected products to mitigate the risk. Detailed version guidance and mitigation steps have been provided to ensure organizations can secure their environments against potential attacks leveraging these flaws.
1 months ago
Critical Authentication Bypass Vulnerabilities in Fortinet Products via FortiCloud SSO
Fortinet has disclosed and patched two critical authentication bypass vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws, rated with a CVSS score of 9.1, stem from improper verification of cryptographic signatures in the FortiCloud SSO login process. An unauthenticated attacker could exploit these vulnerabilities by sending a crafted SAML message, potentially gaining unauthorized administrative access if FortiCloud SSO is enabled. By default, FortiCloud SSO is disabled, but it is automatically enabled during FortiCare registration unless the administrator explicitly disables the relevant toggle. Fortinet has released fixed versions for all affected products and strongly recommends that organizations upgrade immediately. As a temporary mitigation, disabling the FortiCloud SSO login feature is advised until the upgrade can be completed. There is currently no evidence of exploitation in the wild, and no public proof-of-concept code is available, but the history of threat actors targeting Fortinet products underscores the urgency of patching. The vulnerabilities impact a range of versions across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, with unaffected versions and upgrade paths detailed in the advisories.
1 months ago
Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities Exploited in the Wild
Two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, have been identified in Fortinet products utilizing the FortiCloud SSO login feature. These flaws stem from improper verification of cryptographic signatures (CWE-347), allowing unauthenticated attackers to bypass SSO authentication and potentially gain administrative access. The vulnerabilities affect multiple Fortinet product lines, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud SSO is enabled. Fortinet has clarified that FortiCloud SSO is disabled by default, but it becomes enabled if devices are registered via FortiCare through the GUI unless the relevant setting is manually disabled. Following public disclosure of these vulnerabilities, Arctic Wolf observed active exploitation attempts targeting FortiGate appliances. Malicious SSO logins were traced to several hosting providers, with attackers typically attempting to access the admin account. Indicators of compromise (IOCs) include specific IP addresses from The Constant Company LLC, Bl Networks, and Kaopu Cloud HK Limited. Organizations using affected Fortinet products are urged to review their SSO configurations, apply vendor patches, and monitor for suspicious login activity, especially from the identified IOCs.
3 weeks ago