Critical Authentication Bypass Vulnerabilities in Fortinet Products via FortiCloud SSO
Fortinet has disclosed and patched two critical authentication bypass vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws, rated with a CVSS score of 9.1, stem from improper verification of cryptographic signatures in the FortiCloud SSO login process. An unauthenticated attacker could exploit these vulnerabilities by sending a crafted SAML message, potentially gaining unauthorized administrative access if FortiCloud SSO is enabled. By default, FortiCloud SSO is disabled, but it is automatically enabled during FortiCare registration unless the administrator explicitly disables the relevant toggle.
Fortinet has released fixed versions for all affected products and strongly recommends that organizations upgrade immediately. As a temporary mitigation, disabling the FortiCloud SSO login feature is advised until the upgrade can be completed. There is currently no evidence of exploitation in the wild, and no public proof-of-concept code is available, but the history of threat actors targeting Fortinet products underscores the urgency of patching. The vulnerabilities impact a range of versions across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, with unaffected versions and upgrade paths detailed in the advisories.
Timeline
Dec 11, 2025
Security vendors and CERT-related channels flag the bugs for urgent remediation
By 2025-12-11, follow-on reporting said national CERTs and major vulnerability scanners had highlighted the two Fortinet flaws for immediate remediation because successful exploitation could grant full administrative access. This reflected broader defensive escalation after the vendor disclosure.
Dec 9, 2025
Fortinet says no in-the-wild exploitation is known
In its advisory, Fortinet stated there was no known in-the-wild exploitation and no public proof-of-concept at the time of disclosure. The company recommended upgrading to fixed versions and temporarily disabling FortiCloud SSO administrative login until patching is completed.
Dec 9, 2025
Fortinet discloses and patches CVE-2025-59718 and CVE-2025-59719
On 2025-12-09, Fortinet issued an advisory and released fixes for two critical authentication-bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled. The flaws stem from improper cryptographic signature verification in SAML processing and can allow unauthenticated attackers to bypass FortiCloud SSO login with crafted SAML messages.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
2 more from sources like threatprotect.qualys.com and cve akaoma
Related Stories
Critical Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet has disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products. These flaws stem from improper verification of cryptographic signatures in the FortiCloud SSO login feature, allowing unauthenticated attackers to bypass authentication by sending crafted SAML response messages. The vulnerabilities are remotely exploitable and impact a wide range of product versions, but the FortiCloud SSO login is not enabled by default unless the device is registered to FortiCare and the feature is explicitly activated. Administrators are strongly advised to disable the FortiCloud SSO login feature if enabled and to apply the latest security updates provided by Fortinet. Additional mitigations include using the device's GUI or CLI to turn off administrative login via FortiCloud SSO. Fortinet also addressed other vulnerabilities in the same advisory, but the authentication bypass flaws pose the most immediate risk due to their critical severity and potential for exploitation in the wild. Organizations should prioritize patching and review their FortiCloud SSO configurations to reduce exposure.
1 months ago
Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet disclosed two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws allow unauthenticated attackers to bypass FortiCloud SSO login authentication by sending crafted SAML messages if the FortiCloud SSO feature is enabled. The vulnerabilities are not exploitable by default, but become active when devices are registered to FortiCare with administrative SSO enabled, increasing the risk for organizations that have enabled this feature. No exploitation in the wild or public proof-of-concept code has been reported as of the latest advisories, but security experts warn that threat actors are likely to target these vulnerabilities for initial access in the future. Fortinet and security researchers strongly recommend immediate upgrades to the latest fixed versions for all affected products to mitigate the risk. Detailed version guidance and mitigation steps have been provided to ensure organizations can secure their environments against potential attacks leveraging these flaws.
1 months ago
Fortinet Authentication Bypass Vulnerabilities Exploited in the Wild
CISA has added two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting multiple Fortinet products—including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager—to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. These flaws stem from improper verification of cryptographic signatures in the FortiCloud Single Sign-On (SSO) mechanism, allowing unauthenticated attackers to bypass authentication via specially crafted SAML messages. Fortinet has released advisories and patches, and CISA has set a remediation deadline for federal agencies, urging immediate patching or, if not possible, discontinuation of affected products until mitigations are in place. The vulnerabilities are not enabled by default but can be activated during FortiCare registration unless administrators disable the relevant SSO toggle. Security researchers have observed exploitation attempts shortly after the patch release, highlighting the urgency for organizations to update their systems. CISA's guidance mandates compliance with BOD 22-01 for federal agencies, and all organizations using affected Fortinet products are strongly advised to apply patches or disable the vulnerable SSO feature to prevent unauthorized access to their networks.
1 months ago