Fortinet Warns of Critical FortiCloud SSO Authentication Bypass Flaws

Fortinet has issued urgent security updates addressing two critical authentication bypass vulnerabilities (CVSS 9.1) that could allow attackers to bypass FortiCloud SSO login on FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager devices. Given Fortinet's history as a frequent target for ransomware gangs and nation-state hackers, administrators should prioritize these patches immediately.

The Vulnerabilities

CVE-2025-59718 (CVSS 9.1 - Critical)

Affected Products: FortiOS, FortiProxy, FortiSwitchManager

Type: Authentication Bypass via Cryptographic Signature Verification Weakness

Attack Vector: Maliciously crafted SAML message

Impact: Complete bypass of FortiCloud SSO authentication

CVE-2025-59719 (CVSS 9.1 - Critical)

Affected Products: FortiWeb

Type: Authentication Bypass via Cryptographic Signature Verification Weakness

Attack Vector: Maliciously crafted SAML message

Impact: Complete bypass of FortiCloud SSO authentication

Both flaws stem from improper verification of cryptographic signatures, allowing attackers to forge authentication via malicious SAML messages.

The Silver Lining: Not Enabled by Default

Fortinet notes that FortiCloud SSO login is not enabled in default factory settings. However, there's an important caveat:

"When an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration."

Translation: If you've registered your Fortinet device through the GUI without explicitly disabling FortiCloud SSO, you're likely vulnerable.

Immediate Mitigation Steps

Fortinet advises disabling FortiCloud SSO login until you can upgrade to a patched version:

Via GUI:

Navigate to System → Settings

Set "Allow administrative login using FortiCloud SSO" to Off

Via CLI:

config system global

set admin-forticloud-sso-login disable

end

Additional Vulnerabilities Patched

Fortinet's December security update also addresses:

CVE-2025-59808 - Unverified Password Change

Allows attackers with access to a victim's account to reset credentials without knowing the current password

Requires initial account compromise

CVE-2025-64471 - Pass-the-Hash Authentication

Allows attackers to authenticate using a password hash instead of the actual password

Useful for lateral movement after initial compromise

Why Fortinet Vulnerabilities Matter

Fortinet devices are high-value targets for attackers because they sit at the network perimeter—compromising a firewall or VPN gateway often means compromising the entire network.

Recent Fortinet Exploitation History

November 2025: CVE-2025-58034 - FortiWeb zero-day actively exploited

November 2025: CVE-2025-64446 - FortiWeb silently patched after mass exploitation

August 2025: CVE-2025-25256 - FortiSIEM public PoC exploit available

February 2024: CVE-2023-27997, CVE-2022-42475 - FortiOS SSL VPN exploited by Chinese Volt Typhoon APT

The Volt Typhoon incident is particularly notable: the Chinese state-sponsored hacking group used FortiOS vulnerabilities to backdoor a Dutch Ministry of Defence military network, deploying custom 'Coathanger' RAT malware for persistent access.

Who's at Risk?

Check if you're affected:

Do you use FortiOS, FortiWeb, FortiProxy, or FortiSwitchManager?

Have you registered your device to FortiCare via the GUI?

Is "Allow administrative login using FortiCloud SSO" enabled?

If you answered yes to all three, you should treat this as a critical priority.

Organizations most at risk:

Enterprises using Fortinet for perimeter security

Managed service providers (MSPs) with FortiCloud management

Government and defense contractors (known APT targets)

Healthcare and critical infrastructure (ransomware targets)

Fortinet's Track Record

This isn't an isolated incident. Fortinet vulnerabilities have become a favorite for:

Ransomware Groups:

Initial access via exploited FortiOS VPN flaws

Mass scanning for vulnerable devices

Automated exploitation frameworks

Nation-State APTs:

Volt Typhoon (China) - Critical infrastructure targeting

APT groups frequently exploit Fortinet as entry points

Persistence mechanisms designed for Fortinet devices

The Pattern:

Critical Fortinet vulnerability disclosed

PoC exploit released within days

Mass exploitation begins within hours

Ransomware/APT campaigns follow

Action Items

Immediate (Today):

Inventory all Fortinet devices in your environment

Check if FortiCloud SSO login is enabled

Disable FortiCloud SSO as interim mitigation

Monitor for signs of compromise

Short-Term (This Week):

Download and test security updates

Schedule maintenance window for patching

Update to non-vulnerable versions per Fortinet's advisory

Re-enable FortiCloud SSO only after patching

Ongoing:

Subscribe to Fortinet security advisories (PSIRT)

Monitor for exploitation activity

Review authentication logs for anomalies

Consider network segmentation for management interfaces

Related Security News

This disclosure comes during a busy week for security patches. Microsoft's December 2025 Patch Tuesday also addressed critical vulnerabilities including an actively exploited Windows zero-day.

Conclusion

With a 9.1 CVSS score and Fortinet's history as a prime target for sophisticated attackers, these authentication bypass flaws demand immediate attention. The mitigation is straightforward—disable FortiCloud SSO login until you can patch—so there's no excuse for delay.

Don't wait for the inevitable mass exploitation. Patch now.