Fortinet recently disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO login feature, tracked as CVE-2025-59718 and CVE-2025-59719. These flaws allow unauthenticated attackers to gain full administrative access via crafted SAML messages when the feature is enabled, posing severe risks to enterprise firewalls and security appliances.
Vulnerability Breakdown
Both issues stem from improper verification of cryptographic signatures (CWE-347) in SAML processing across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Attackers exploit this by sending malicious SAML responses, bypassing login entirely and compromising device control, data confidentiality, and network integrity.
No public exploits exist yet, but Fortinet products remain prime targets for threat actors, amplifying urgency for perimeter defenses.
Impacted Versions
Affected releases include FortiOS 7.6.0–7.6.3 and 7.4.0–7.4.8; FortiWeb 7.6.0–7.6.4 and 7.4.0–7.4.9; plus vulnerable FortiProxy and FortiSwitchManager builds. Patches appear in 7.6.4+, 7.4.9+, and later equivalents per FG-IR-25-647.
FortiCloud SSO activates automatically during FortiCare registration unless explicitly disabled, catching many admins off-guard.
Risk and Prioritization
CVSS v3 scores hit 9.8 and 9.1, marking these as critical with network-accessible, low-complexity exploitation leading to full system takeover. National CERTs and scanners like Qualys/Tenable flag them for immediate action, especially on internet-facing gear.
Remediation Steps
Upgrade promptly to fixed versions via Fortinet’s advisory; interim fix disables FortiCloud SSO using GUI (System > Settings > toggle off) or CLI (config system global; set admin-forticloud-sso-login disable; end).
Scan estates with Qualys CSAM or Tenable for coverage, hunt SAML anomalies in logs, and restrict admin interfaces.
Enterprise teams should integrate these into KEV-style workflows, validating patches before year-end to counter Fortinet’s exploitation history.
Enterprise-Wide Propagation
Compromised Fortinet gateways serve as pivots for deeper intrusions, targeting internal assets via trusted admin privileges and disabling defenses like IPS or logging. Supply chain ripple effects hit managed service providers and multi-tenant environments, where one vulnerable appliance exposes customer segments.
Business and Compliance Fallout
Breaches trigger regulatory violations (e.g., GDPR, CMMC), mandatory disclosures, and multimillion-dollar fines, plus reputational damage from high-profile Fortinet targeting. Remediation demands urgent patching across global fleets, diverting vulnerability teams from other priorities like CISA KEV monitoring.
Downtime from exploits or forced outages disrupts operations, with recovery costs escalating due to forensic hunts and privilege resets.
