Fortinet Warns of Critical FortiCloud SSO Authentication Bypass Flaws
🛡️ Security

Fortinet Warns of Critical FortiCloud SSO Authentication Bypass Flaws

Fortinet releases patches for two critical 9.1 CVSS authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

AB
Anthony Bahn IT Director & Cybersecurity Consultant
FortinetFortiWebAuthentication BypassCVEZero-Day

Fortinet has issued urgent security updates addressing two critical authentication bypassAuthentication Bypass📖A security vulnerabilityVulnerability🛡️A weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. that allows an attacker to circumvent the login verification process and gain unauthorized access to a system without providing valid credentials. vulnerabilities (CVSS 9.1) that could allow attackers to bypass FortiCloudFortiCloud📖Fortinet's cloud-based management and services platform that provides centralized management, logging, reporting, and single sign-on capabilities for Fortinet security products. SSO login on FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager devices. Given Fortinet's history as a frequent target for ransomware gangs and nation-state hackers, administrators should prioritize these patches immediately.

The Vulnerabilities

CVE-2025-59718 (CVSS 9.1 - Critical)

  • Affected Products: FortiOS, FortiProxy, FortiSwitchManager
  • Type: Authentication Bypass via Cryptographic SignatureCryptographic Signature📖A mathematical scheme that uses public key cryptography to verify the authenticity and integrity of digital data, ensuring the content has not been altered and was created by the claimed sender. Verification Weakness
  • Attack Vector: Maliciously crafted SAML message
  • Impact: Complete bypass of FortiCloud SSO authentication

    • CVE-2025-59719 (CVSS 9.1 - Critical)

  • Affected Products: FortiWeb
  • Type: Authentication Bypass via Cryptographic Signature Verification Weakness
  • Attack Vector: Maliciously crafted SAML message
  • Impact: Complete bypass of FortiCloud SSO authentication

    • Both flaws stem from improper verification of cryptographic signatures, allowing attackers to forge authentication via malicious SAML messages.

    The Silver Lining: Not Enabled by Default

    Fortinet notes that FortiCloud SSO login is not enabled in default factory settings. However, there's an important caveat:

    "When an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration."

    Translation: If you've registered your Fortinet device through the GUI without explicitly disabling FortiCloud SSO, you're likely vulnerable.

    Immediate Mitigation Steps

    Fortinet advises disabling FortiCloud SSO login until you can upgrade to a patched version:

    Via GUI:

  • Navigate to System → Settings
  • Set "Allow administrative login using FortiCloud SSO" to Off

    • Via CLI:

    config system global

    set admin-forticloud-sso-login disable

    end

    Additional Vulnerabilities Patched

    Fortinet's December security update also addresses:

    CVE-2025-59808 - Unverified Password Change

  • Allows attackers with access to a victim's account to reset credentials without knowing the current password
  • Requires initial account compromise

    • CVE-2025-64471 - Pass-the-HashPass-the-Hash🛡️An attack technique where an attacker uses a captured password hash to authenticate without needing to crack or know the actual password. Authentication

  • Allows attackers to authenticate using a password hash instead of the actual password
  • Useful for lateral movementLateral Movement🛡️Techniques attackers use to move through a network after initial compromise, seeking additional systems to control and data to steal. after initial compromise

    • Why Fortinet Vulnerabilities MatterMatter🏠A new universal smart home standard backed by Apple, Google, and Amazon for cross-platform compatibility.

    Fortinet devices are high-value targets for attackers because they sit at the network perimeter—compromising a firewallFirewall🌐Security system that monitors and controls network traffic based on predetermined rules. or VPN gateway often means compromising the entire network.

    Recent Fortinet Exploitation History

  • November 2025: CVE-2025-58034 - FortiWeb zero-dayZero-Day🛡️A security vulnerability that is exploited or publicly disclosed before the software vendor can release a patchPatch🛡️A software update that fixes security vulnerabilities, bugs, or adds improvements to an existing program., giving developers 'zero days' to fix it. actively exploitedActively Exploited🛡️A vulnerability that attackers are currently using in real-world attacks, requiring immediate patching regardless of severity score.
  • November 2025: CVE-2025-64446 - FortiWeb silently patched after mass exploitation
  • August 2025: CVE-2025-25256 - FortiSIEM public PoC exploitExploit🛡️Code or technique that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access. available
  • February 2024: CVE-2023-27997, CVE-2022-42475 - FortiOS SSL VPN exploited by Chinese Volt Typhoon APT

    • The Volt Typhoon incident is particularly notable: the Chinese state-sponsored hacking group used FortiOS vulnerabilities to backdoor a Dutch Ministry of Defence military network, deploying custom 'Coathanger' RAT malware for persistent access.

    Who's at Risk?

    Check if you're affected:

  • Do you use FortiOS, FortiWeb, FortiProxy, or FortiSwitchManager?
  • Have you registered your device to FortiCare via the GUI?
  • Is "Allow administrative login using FortiCloud SSO" enabled?

    • If you answered yes to all three, you should treat this as a critical priority.

    Organizations most at risk:

  • Enterprises using Fortinet for perimeter security
  • Managed service providers (MSPs) with FortiCloud management
  • Government and defense contractors (known APT targets)
  • Healthcare and critical infrastructure (ransomware targets)

    • Fortinet's Track Record

    This isn't an isolated incident. Fortinet vulnerabilities have become a favorite for:

    Ransomware Groups:

  • Initial access via exploited FortiOS VPN flaws
  • Mass scanning for vulnerable devices
  • Automated exploitation frameworks

    • Nation-State APTs:

  • Volt Typhoon (China) - Critical infrastructure targeting
  • APT groups frequently exploit Fortinet as entry points
  • Persistence mechanisms designed for Fortinet devices

    • The Pattern:

  • Critical Fortinet vulnerability disclosed
  • PoC exploit released within days
  • Mass exploitation begins within hours
  • Ransomware/APT campaigns follow

    • Action Items

    Immediate (Today):

  • Inventory all Fortinet devices in your environment
  • Check if FortiCloud SSO login is enabled
  • Disable FortiCloud SSO as interim mitigation
  • Monitor for signs of compromise

    • Short-Term (This Week):

  • Download and test security updates
  • Schedule maintenance window for patching
  • Update to non-vulnerable versions per Fortinet's advisory
  • Re-enable FortiCloud SSO only after patching

    • Ongoing:

  • Subscribe to Fortinet security advisories (PSIRT)
  • Monitor for exploitation activity
  • Review authentication logs for anomalies
  • Consider network segmentation for management interfaces

    • Related Security News

    This disclosure comes during a busy week for security patches. Microsoft's December 2025 Patch Tuesday also addressed critical vulnerabilities including an actively exploited Windows zero-day.

    Conclusion

    With a 9.1 CVSS score and Fortinet's history as a prime target for sophisticated attackers, these authentication bypass flaws demand immediate attention. The mitigation is straightforward—disable FortiCloud SSO login until you can patch—so there's no excuse for delay.

    Don't wait for the inevitable mass exploitation. Patch now.

    ← Back to All News