Fortinet Warns of Critical FortiCloud SSO Login Auth Bypass Flaws
Summary:
Fortinet has issued security updates to address two critical vulnerabilities, CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that could allow threat actors to bypass FortiCloud SSO authentication. The flaws stem from improper verification of cryptographic signatures when processing maliciously crafted SAML messages. Fortunately, the vulnerable FortiCloud SSO login feature is not enabled by default in factory settings. It is only activated during device registration to FortiCare, unless the administrator explicitly disables the 'Allow administrative login using FortiCloud SSO' toggle switch.
Fortinet also patched two other vulnerabilities: CVE-2025-59808, which allows an attacker who has gained access to a user account to reset credentials without the current password, and CVE-2025-64471, which permits authentication using the password hash. The continuous patching highlights Fortinet products' appeal as a target, with past critical flaws often being exploited in zero-day attacks by groups like the Chinese Volt Typhoon.
Security Officer Comments:
This set of critical vulnerabilities targeting FortiCloud SSO authentication (CVE-2025-59718, CVE-2025-59719) is significant due to the potential for SSO authentication bypass on widely deployed network security devices. However, the risk is lowered by the fact that the vulnerable feature is not enabled by default and requires a manual or semi-automatic administrator action (FortiCare registration without disabling the toggle) to activate. Active exploitation of vulnerabilities in Fortinet products has been widely reported this year. Security events like the massive spike in brute-force attacks targeting Fortinet SSL VPNs in August, and the discovery of two zero-day vulnerabilities (CVE-2025-58034, CVE-2025-64446) in FortiWeb in November, underscore the importance of prioritizing the patching of Fortinet flaws.
Suggested Corrections:
To mitigate immediate risk, administrators are strongly advised to temporarily disable the FortiCloud login feature (if enabled) until they can update to a non-vulnerable version to apply the necessary security updates. This can be done via the GUI (System -> Settings) or by running this CLI command:
config system global
set admin-forticloud-sso-login disable
Link(s):
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/
Fortinet has issued security updates to address two critical vulnerabilities, CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that could allow threat actors to bypass FortiCloud SSO authentication. The flaws stem from improper verification of cryptographic signatures when processing maliciously crafted SAML messages. Fortunately, the vulnerable FortiCloud SSO login feature is not enabled by default in factory settings. It is only activated during device registration to FortiCare, unless the administrator explicitly disables the 'Allow administrative login using FortiCloud SSO' toggle switch.
Fortinet also patched two other vulnerabilities: CVE-2025-59808, which allows an attacker who has gained access to a user account to reset credentials without the current password, and CVE-2025-64471, which permits authentication using the password hash. The continuous patching highlights Fortinet products' appeal as a target, with past critical flaws often being exploited in zero-day attacks by groups like the Chinese Volt Typhoon.
Security Officer Comments:
This set of critical vulnerabilities targeting FortiCloud SSO authentication (CVE-2025-59718, CVE-2025-59719) is significant due to the potential for SSO authentication bypass on widely deployed network security devices. However, the risk is lowered by the fact that the vulnerable feature is not enabled by default and requires a manual or semi-automatic administrator action (FortiCare registration without disabling the toggle) to activate. Active exploitation of vulnerabilities in Fortinet products has been widely reported this year. Security events like the massive spike in brute-force attacks targeting Fortinet SSL VPNs in August, and the discovery of two zero-day vulnerabilities (CVE-2025-58034, CVE-2025-64446) in FortiWeb in November, underscore the importance of prioritizing the patching of Fortinet flaws.
Suggested Corrections:
To mitigate immediate risk, administrators are strongly advised to temporarily disable the FortiCloud login feature (if enabled) until they can update to a non-vulnerable version to apply the necessary security updates. This can be done via the GUI (System -> Settings) or by running this CLI command:
config system global
set admin-forticloud-sso-login disable
Link(s):
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/