Fortinet has disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO feature—affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. An attacker could gain unfettered administrative access using crafted SAML assertions when FortiCloud SSO is enabled. 

Fortinet's FortiCloud SSO improperly verifies SAML digital signatures, enabling takeover via forged assertions—rooted in cryptographic signature verification failures  

Vulnerabilities 

  • CVE-2025-59718 
  • Affects: FortiOS, FortiProxy, FortiSwitchManager 
  • Description: Improper cryptographic signature verification in SAML messages [nvd.nist.gov] 
  • CVE-2025-59719 
  • Affects: FortiWeb 
  • Description: Same type of SAML signature weakness as above [nvd.nist.gov] 
  • CVSS Severity 
  • Both vulnerabilities carry a CVSS v3.1 score of 9.8, indicating critical severity for authentication bypass from network-based, unauthenticated attacks 

Impact Analysis 

  • Administrative Access Without Credentials 
    Attackers can craft SAML tokens that bypass authentication checks and gain full administrative control.  
  • Widespread Attack Surface 
    Any Fortinet device registered with FortiCare and with SSO enabled is at risk—including firewall, proxy, and switch-management appliances.  
  • Minimal Audit Footprint 
    Exploitation may not trigger conventional log alerts, making detection difficult 

Risk to Organisations 

  • Devices are frequently targeted by ransomware, espionage, and nation-state actors. Fortinet vulnerabilities are high-value targets once in the wild.  
  • Similar flaws (e.g., SSL VPN exploits) have led to real-world incidents like the Volt Typhoon campaign 

 

 

Affected Versions 

Product 

Versions Vulnerable 

FortiOS 

7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, 7.6.0–7.6.3 [cyber.gov.au] 

FortiProxy 

7.0.0–7.0.21, 7.2.0–7.2.14, 7.4.0–7.4.10, 7.6.0–7.6.3 [cyber.gov.au] 

FortiSwitchManager 

7.0.0–7.0.5, 7.2.0–7.2.6 [cyber.gov.au] 

FortiWeb 

7.4.0–7.4.9, 7.6.0–7.6.4, 8.0.0 

 

Mitigation and Remediation 

Immediate Actions 

  • Disable FortiCloud SSO (if enabled): 
    GUI: System → Settings → Allow administrative login using FortiCloud SSO → Off 
    CLI:  

config system global 

set admin-forticloud-sso-login disable 

end 

Apply Patches 
Install updated firmware with permanent fixes: 

  • FortiOS: 7.0.18+, 7.2.12+, 7.4.9+, 7.6.4+ 
  • FortiProxy: 7.0.22+, 7.2.15+, 7.4.11+, 7.6.4+ 
  • FortiSwitchManager: 7.0.6+, 7.2.7+ 
  • FortiWeb: 7.4.10+, 7.6.5+, 8.0.1+ 

 

Recommendations: 

  • Audit: Inventory all Fortinet devices; verify FortiCloud SSO status across controllers.  
  • Patch: Apply firmware updates immediately.  
  • Harden: Keep SSO disabled unless essential; limit device registration to trusted personnel.  
  • Log & Monitor: Capture detailed SAML flows; alert on anomalies.  
  • Review Incident Response Plans: Update to include detection and mitigation for SAML-based bypass. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

Contact Us