Fortinet has issued an urgent security advisory addressing two critical authentication bypass vulnerabilities affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. The flaws—tracked as CVE-2025-59718 and CVE-2025-59719—allow attackers to bypass FortiCloud Single Sign-On (SSO) authentication using a maliciously crafted SAML message.
Although the FortiCloud SSO feature is not enabled by default, many organizations activate it automatically when registering their devices with FortiCare, often without noticing that FortiCloud SSO has also been turned on. This creates a dangerous situation: a critical, remotely exploitable authentication bypass may be active on thousands of production firewalls and web application firewalls (WAFs).
For CISOs, this is yet another reminder that Fortinet appliances remain high-value targets for both ransomware gangs and state-sponsored threat actors—and that misconfigured cloud-linked features introduce additional risk.
Summary of Critical Vulnerabilities
1️⃣ CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager)
A flaw in the verification of cryptographic signatures within FortiCloud SSO authentication allows attackers to bypass authentication by supplying a specially crafted SAML response.
2️⃣ CVE-2025-59719 (FortiWeb)
A similar vulnerability affecting FortiWeb appliances, allowing attackers to authenticate without valid credentials via manipulated SAML messages.
Root Cause: Improper Signature Validation in SAML Flow
Fortinet explains that the vulnerabilities stem from weak verification of cryptographic signatures, enabling impersonation of legitimate FortiCloud identity assertions.
This type of SSO signature weakness is particularly dangerous because:
- It grants administrative access
- It bypasses multi-factor authentication (MFA)
- It may allow lateral movement toward internal management networks
- It enables full takeover of Fortinet appliances, a known precursor to ransomware deployment
FortiCloud SSO Not Enabled by Default — But Often Enabled Accidentally
Fortinet emphasizes in its advisory:
“The FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device GUI, FortiCloud SSO login becomes enabled unless manually disabled.”
This means many organizations may unknowingly be exposed.
Immediate Mitigation Required
Fortinet recommends temporarily disabling FortiCloud SSO until systems are upgraded to patched firmware versions.
Disable via GUI
System → Settings → Allow administrative login using FortiCloud SSO → Off
Disable via CLI
config system global
set admin-forticloud-sso-login disable
end
If FortiCloud SSO is not in use, it is recommended to leave it permanently disabled.
Additional Fortinet Vulnerabilities Patched Today
Fortinet also released fixes for two other impactful vulnerabilities:
CVE-2025-59808 – Unverified Password Change
An attacker who gains access to a user account can reset the password without knowing the old password.
This dramatically increases post-exploitation persistence.
CVE-2025-64471 – Hash-Based Authentication Bypass
Threat actors may authenticate using the password hash instead of the real password, bypassing the need to crack credentials.
This issue is especially dangerous for environments using LDAP or Active Directory.
Why This Matters: Fortinet Devices Remain High-Value Targets
Over the past three years, Fortinet appliances have repeatedly been exploited in:
- Zero-day campaigns
- Ransomware intrusions
- Nation-state espionage operations
Notable incidents include:
Volt Typhoon (China) – Military Network Backdoor
Chinese APT group Volt Typhoon exploited FortiOS SSL VPN flaws (CVE-2023-27997 and CVE-2022-42475) to deploy the Coathanger RAT inside the Dutch Ministry of Defence.
FortiSIEM Command Injection (CVE-2025-25256)
Public exploit code appeared within hours, driving widespread scanning and brute-force attacks.
FortiWeb Zero-Day Wave (2025)
- CVE-2025-58034 actively exploited
- CVE-2025-64446 silently patched
- Mass exploitation observed by multiple SOCs
Fortinet SSL VPN Brute-Force Campaigns
GreyNoise and multiple CERTs saw sustained, global brute-force waves targeting Fortinet VPNs for initial access.
Strategic Risk for CISOs
Fortinet appliances often sit at the perimeter with full visibility into encrypted traffic, VPN access, and authentication flows. A compromise can lead to:
- Complete network access
- Credential harvesting
- MITM or session hijacking
- Backdoor installation
- Disabling of logs
- Silent configuration tampering
These attacks are frequently invisible unless explicit integrity monitoring and continuous configuration auditing are in place.
Recommended Actions for CISOs and Security Teams
1. Disable FortiCloud SSO Immediately (if enabled)
Even if not in use — disable it until you are certain all devices are patched.
2. Patch All Fortinet Appliances Without Delay
Prioritize:
- FortiOS
- FortiProxy
- FortiSwitchManager
- FortiWeb
Check Fortinet’s official PSIRT advisories for the latest safe firmware versions.
3. Audit All Administrative Accounts
Look for:
- Password resets
- New admin accounts
- Unexpected role changes
- SSO configuration changes
4. Review All External Access Logs
Specifically:
- SSL VPN login events
- SAML authentication traces
- Administrative API requests
- Configuration changes or deletions
5. Implement Configuration Drift Monitoring
Continuous integrity monitoring of Fortinet appliances should be considered mandatory.
6. Enforce MFA Everywhere — But Remember MFA Does Not Protect SSO Signature Bypass
In SAML bypass scenarios, MFA can be completely sidestepped.
7. Treat Management Interfaces as Tier-0 Assets
Segregate from user networks, and restrict access via management VLANs or jump servers.
Conclusion
The FortiCloud SSO authentication bypass vulnerabilities underscore a broader truth: identity-layer attacks against network appliances are becoming the preferred method for achieving privileged access.
For CISOs, the message is clear:
Do not treat firewall and WAF authentication as “set and forget.”
Monitor cloud-linked features, continuously validate configuration integrity, and patch Fortinet appliances as a matter of urgency—not convenience.
Fortinet’s swift patch releases are commendable, but defenders must respond just as swiftly. Misconfigured SSO options, weak cryptographic validations, and cloud-linked identity flows present an expanding attack surface that adversaries—whether ransomware operators or state-sponsored groups—will continue to exploit.