Table of Contents
- Is your network vulnerable to the critical FortiCloud SSO login bypass affecting FortiOS?
- Critical Advisory: FortiCloud SSO Authentication Bypass
- Technical Analysis: The SAML Manipulation Vector
- Vulnerability Breakdown by CVE
- CVE-2025-59718
- CVE-2025-59719
- Risk Assessment and Configuration Factors
- Recommended Action Plan
Is your network vulnerable to the critical FortiCloud SSO login bypass affecting FortiOS?
Critical Advisory: FortiCloud SSO Authentication Bypass
Fortinet has identified two critical vulnerabilities affecting the Single Sign-On (SSO) authentication process within its ecosystem. These flaws allow attackers to bypass authentication protocols completely. This security gap affects widely used products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. The vendor released security updates on December 9, 2025, to mitigate these risks.
Technical Analysis: The SAML Manipulation Vector
The core mechanism of this attack targets the Security Assertion Markup Language (SAML). SAML facilitates the exchange of authentication data between an identity provider and a service provider.
The vulnerability stems from improper verification of cryptographic signatures. An attacker without valid credentials can forge a manipulated SAML response message. The system fails to validate this signature correctly, granting the attacker access to the device management interface. This results in a complete bypass of the FortiCloud SSO login.
Vulnerability Breakdown by CVE
CVE-2025-59718
Severity: Critical
Mechanism: Improper cryptographic signature verification.
Affected Products:
- FortiOS: Versions 7.6.0–7.6.3, 7.4.0–7.4.8, 7.2.0–7.2.11, 7.0.0–7.0.17
- FortiProxy: Versions 7.6.0–7.6.3, 7.4.0–7.4.10, 7.2.0–7.2.14, 7.0.0–7.0.21
- FortiSwitchManager: Versions 7.2.0–7.2.6, 7.0.0–7.0.5
CVE-2025-59719
Severity: Critical
Mechanism: Identical SAML manipulation vector specific to web application firewalls.
Affected Products:
- FortiWeb: Versions 8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9
Risk Assessment and Configuration Factors
The severity of these vulnerabilities depends on your specific device configuration. Fortinet advises that the vulnerable FortiCloud SSO feature is not enabled by default.
Your infrastructure is primarily at risk if your devices are registered with FortiCare. This registration process activates the SSO feature that contains the cryptographic flaw. Administrators managing unregistered devices face a lower immediate risk profile but should still apply patches to ensure long-term security hygiene.
Recommended Action Plan
- Audit: Verify the firmware versions of all deployed Fortinet assets against the lists above.
- Verify Configuration: Check if devices are registered to FortiCare and if FortiCloud SSO is active.
- Patch: Apply the security updates released on December 9, 2025, immediately. Prioritize devices with exposed management interfaces.