Fortinet warns of critical FortiCloud SSO auth bypass flaw
▼ Summary
– Fortinet has patched two critical vulnerabilities (CVE-2025-59718 & CVE-2025-59719) that could allow attackers to bypass FortiCloud SSO authentication via malicious SAML messages.
– The vulnerable FortiCloud SSO feature is not enabled by default on unregistered devices, but it may be automatically enabled during FortiCare registration unless an administrator disables it.
– Administrators are advised to temporarily disable the FortiCloud SSO login feature if enabled, until they can upgrade to a patched version.
– Fortinet also addressed two other vulnerabilities, including one (CVE-2025-59808) allowing unauthorized password resets for compromised accounts.
– Fortinet products are frequent targets for exploitation, as illustrated by past incidents involving state-sponsored hackers and widespread brute-force attacks.
Fortinet has issued urgent security updates to address two severe vulnerabilities that could let attackers bypass authentication on several of its products. These flaws, present in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, specifically impact the FortiCloud Single Sign-On (SSO) feature. The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, stem from improper verification of cryptographic signatures. Attackers could exploit them by sending a specially crafted SAML message to a vulnerable system, potentially gaining unauthorized access without proper credentials.
It is important to note that the affected FortiCloud SSO login capability is not active by default on new devices. The feature typically becomes enabled only when an administrator registers the device with FortiCare through the graphical interface. During this registration process, a toggle switch labeled “Allow administrative login using FortiCloud SSO” is automatically set to on unless the administrator manually disables it. This default behavior upon registration is a critical detail for system administrators to understand.
To mitigate risk immediately, administrators should disable the FortiCloud login feature if it is currently enabled, applying this as a temporary measure until systems can be upgraded to a patched version. This can be done through the device’s management interface by navigating to System -> Settings and turning the aforementioned toggle switch to the Off position. Alternatively, the same action can be performed via the command line by executing the specific configuration command provided by Fortinet.
Alongside these critical SSO flaws, Fortinet’s latest updates also resolve other security issues. One patched vulnerability, CVE-2025-59808, could allow someone who has already compromised a user account to reset that account’s credentials without needing to provide the current password. Another flaw, CVE-2025-64471, involves a scenario where an attacker might authenticate using a password hash instead of the actual plaintext password.
Fortinet’s products are a frequent target for advanced threat actors, including state-sponsored groups and ransomware operators, who often exploit such vulnerabilities rapidly. Earlier this year, the company disclosed that the Chinese hacking group known as Volt Typhoon had compromised a military network by leveraging two older FortiOS SSL VPN flaws to deploy persistent malware. More recent incidents include a surge in brute-force attacks against Fortinet VPNs and the active exploitation of zero-day vulnerabilities in the FortiWeb web application firewall, one of which was patched silently before public disclosure. These events underscore the importance of applying security updates promptly to protect network infrastructure from determined adversaries.
(Source: Bleeping Computer)
