top of page
Search

Critical Fortinet Flaw Risks Unauthenticated Admin Bypass via FortiCloud SSO SAML Forgery

  • Dec 10, 2025
  • 2 min read

Key Findings


  • A critical vulnerability (CVE-2025-59718, CVE-2025-59719) in Fortinet's FortiCloud Single Sign-On (SSO) feature allows unauthenticated attackers to bypass authentication and gain administrative access to affected devices.

  • The vulnerability, which has a CVSS score of 9.1, stems from improper verification of cryptographic signatures (CWE-347) in the FortiCloud SSO SAML implementation.

  • Affected products include FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager.

  • The FortiCloud SSO feature is automatically enabled during device registration, increasing the risk of unaware exposure.


Background


Fortinet has issued an urgent security advisory following the discovery of a critical vulnerability affecting its flagship network security products. The flaw, which carries a critical CVSS score of 9.1, allows unauthenticated attackers to bypass authentication mechanisms and potentially gain administrative access to devices via the FortiCloud Single Sign-On (SSO) feature.


Technical Details


The vulnerability, tracked as CVE-2025-59718 and CVE-2025-59719, is an "Improper Verification of Cryptographic Signature" issue (CWE-347). It affects multiple Fortinet product lines, including FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager.


According to the advisory, the flaw "may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device". This means an attacker could forge a security token that the system accepts as valid, granting them access without needing a legitimate username or password.


Exposure and Mitigation


While Fortinet notes that "the FortiCloud SSO login feature is not enabled in default factory settings," there is a significant caveat that may leave many administrators unknowingly exposed. The feature is automatically enabled during device registration. "When an administrator registers the device to FortiCare from the device's GUI… FortiCloud SSO login is enabled upon registration" unless explicitly disabled.


Fortinet has released patches for affected versions and is urging customers to upgrade immediately:


  • FortiOS: Upgrade to 7.6.4, 7.4.9, 7.2.12, or 7.0.18

  • FortiProxy: Upgrade to 7.6.4, 7.4.11, 7.2.15, or 7.0.22

  • FortiWeb: Upgrade to 8.0.1, 7.6.5, or 7.4.10

  • FortiSwitch Manager: Upgrade to 7.2.7 or 7.0.6


For those unable to patch immediately, Fortinet provides a critical mitigation: "Please turn off the FortiCloud login feature (if enabled) temporarily until upgrading to a non-affected version". This can be done via the GUI or by running the following CLI command:


```


config system global


set admin-forticloud-sso-login disable


end


```


Sources


  • https://securityonline.info/critical-fortinet-flaw-risks-unauthenticated-admin-bypass-via-forticloud-sso-saml-forgery/

  • https://securityonline.info/critical-ivanti-epm-flaw-cve-2025-10573-risks-admin-session-hijack-and-unauthenticated-rce/

  • https://x.com/the_yellow_fall/status/1998574929609212201

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page