Attackers to Bypass FortiCloud-SSO Authentication;Patches Released for FortiOS, FortiProxy, FortiWeb
Security Advisory: Fortinet released security updates addressing critical Improper Verification of Cryptographic Signature vulnerabilities (CWE-347) in FortiOS, FortiWeb, FortiProxy and FortiSwitchManager.
Fortinet explained when the advisory was published today, the vulnerable FortiCloud feature is not enabled by default when the device is not FortiCare-registered.
| OEM | Fortinet |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-59718, CVE-2025-59719 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Improper verification of cryptographic signature vulnerability | CVE-2025-59718 | FortiSwitchManager, FortiProxy, FortiOS | Critical | Check the recommendation section table below |
| Improper verification of cryptographic signature vulnerability | CVE-2025-59719 | FortiWeb | Critical | Check the recommendation section table below |
These flaws allow unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML messages when the feature is enabled. Administrator and users are urged to update the products to the latest version.
Technical Summary
The vulnerabilities stem from improper verification of cryptographic signatures in SAML authentication process across affected products.
Attackers can craft malicious SAML messages that bypass signature validation, tricking the system into granting unauthenticated administrative login access when the FortiCloud SSO feature is enabled.
This exposes critical management interfaces to remote exploitation, potentially allowing full device compromise including configuration changes, policy alterations and network redirection.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-59718 | FortiOS (7.6, 7.4, 7.2, 7.0), FortiProxy (7.6, 7.4, 7.2, 7.0), FortiSwitchManager (7.2, 7.0) | Improper signature verification allows crafted SAML to bypass SSO login | Unauthorized admin access, full device compromise |
| CVE-2025-59719 | FortiWeb (8.0, 7.6, 7.4) | Same improper signature verification in FortiWeb SSO | Complete takeover of web application firewall |
Remediation:
Upgrade immediately to the latest Fortinet firmware versions listed below.
If immediate upgrade is not feasible, apply these mitigation steps:
| Product | Affected Versions | Fixed Version |
| FortiOS 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiOS 7.4 | 7.4.0 – 7.4.8 | 7.4.9+ |
| FortiOS 7.2 | 7.2.0 – 7.2.11 | 7.2.12+ |
| FortiOS 7.0 | 7.0.0 – 7.0.17 | 7.0.18+ |
| FortiProxy 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiProxy 7.4 | 7.4.0 – 7.4.10 | 7.4.11+ |
| FortiProxy 7.2 | 7.2.0 – 7.2.14 | 7.2.15+ |
| FortiProxy 7.0 | 7.0.0 – 7.0.21 | 7.0.22+ |
| FortiSwitchManager 7.2 | 7.2.0 – 7.2.6 | 7.2.7+ |
| FortiSwitchManager 7.0 | 7.0.0 – 7.0.5 | 7.0.6+ |
| FortiWeb 8.0 | 8.0.0 | 8.0.1+ |
| FortiWeb 7.6 | 7.6.0 – 7.6.4 | 7.6.5+ |
| FortiWeb 7.4 | 7.4.0 – 7.4.9 | 7.4.10+ |
Here you can follow the recommendations below
- Enable MFA for all local admin accounts as defense-in-depth
- Deploy IDS/IPS signatures for SAML abuse detection
- Regularly audit Forti Cloud SSO toggle status across all devices
- Monitor for unusual admin logins and restrict SSO exposure
Conclusion:
The FortiCloud SSO authentication bypass flaws is a critical risk because it turn a convenience feature into a direct path to administrative takeover of core Fortinet security devices.
Organizations should urgently upgrade to the fixed versions and if immediate patch not possible disable FortiCloud SSO login wherever it is enabled to prevent unauthorized access and ensure continuity of security operations.
References: