Two critical authentication bypass vulnerabilities have been actively exploited in the threat protection solutions offered by Fortinet’s management infrastructure. These vulnerabilities, CVE-2025-59718 and CVE-2025-59719, have been exploited because there is an urgent need to hasten the issuance of fixes. The vulnerabilities have been used to provide attackers with admin access through the FortiCloud SSO functionality.
🔐 Fortinet FortiCloud SSO Vulnerabilities
Critical SAML Authentication Bypass Vulnerabilities
⚠️ IMPROPER CRYPTOGRAPHIC SIGNATURE VERIFICATIONRoot Cause: Improper SAML Signature Verification
- Core problem lies within wrong verification of cryptographic signatures
- Flaw exists in the SAML authentication process
- SAML employs identity exchange in cloud computing
- Failures in signature validation will compromise the trust model
- Device parses claims regarding possible identity
- An attacker could forge SAML response messages
- No private keys are needed in order to construct the response
- SAML content is trusted by the device
- Attacker posing as admin user
- Full administrative access is granted on the basis of the forged claim
- Bypassing Authentication happens prior to the password prompt
SAML Vulnerability Flow
Improper Cryptographic Signature Verification in Cloud Auth
🔓 Attack Flow
🔑 Security Issues
FortiCloud SSO as an Unintended Attack Surface
- A critical vulnerability, scoring 9.1 or more on the CVSS scale
- High Severity reflects easy exploitation
- Attackers can acquire super-admin rights
- Enabling changes to firewall rules and security logging disablement
- The vulnerabilities are accessible through the public internet
- Exposed Management Interfaces are Highly Vulnerable
- The SSO feature of FortiCloud is disabled in the factory settings
- Registering the device through GUI to FortiCare will enable FortiCloud SSO automatically
- Feature is still enabled unless the SSO toggle is turned off manually
Immediate Mitigation and Patch Guidance
Numerous firms may also be exposed without their knowledge. Malicious login activity was recorded to have begun on December 12, 2025. Traffic has been traced to IP addresses that belong to Asia, the US, and Germany. More particularly, firms such as The Constant Company and Kaopu Cloud HK are often quoted. Attackers exploit login credentials to export device configurations. Organizations should, as a matter of priority, upgrade to a patched version as soon as possible:
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | Upgrade to 7.0.18 or above |
| FortiOS 6.4 | Not affected | Not Applicable |
| FortiProxy 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.14 | Upgrade to 7.2.15 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.21 | Upgrade to 7.0.22 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
| FortiWeb 8.0 | 8.0.0 | Upgrade to 8.0.1 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiWeb 7.2 | Not affected | Not Applicable |
| FortiWeb 7.0 | Not affected | Not Applicable |
You are advised to upgrade to version Furthermore, you can reduce the risk by turning off the FortiCloud SSO function. To do this via the GUI, you must first go to System settings. Furthermore, you have to look for the slider labelled “Allow administrative login using FortiCloud SSO” and turn it OFF. In addition to that, you have to limit management access through the “Trusted Hosts” function. Thus, the attacker on the public internet cannot access the login page. Lastly, you have to reset all admin passwords if you spot IOCs.
Conclusion: When Authentication Fails, Perimeter Security Collapses
The Fortinet SSO authentication bypass exposes a hard truth about modern infrastructure security. When identity validation breaks, attackers do not need malware, exploits, or credentials. A forged SAML response is enough to gain full administrative control. In this case, the compromise happens before any password prompt appears, turning trusted management interfaces into open doors.
Once admin access is obtained, firewalls can be reconfigured, logging disabled, and defenses weakened silently. At that point, the security device itself becomes the attack platform.
Why This Risk Extends Beyond Fortinet
This incident is not just a Fortinet issue. It reflects a broader, systemic risk affecting many organizations today:
- Authentication flaws expose management planes directly to the internet
- Cloud connected features expand attack surface by default
- Misconfigurations remain invisible without continuous assessment
- Legacy devices run vulnerable firmware longer than expected
- Admin access can be lost without triggering endpoint alerts
When trust is broken at the identity layer, traditional security controls offer little resistance.
