Security Intelligence
Loading table of contents...
Loading table of contents...
At a glance: Fortinet fixes two critical SSO auth-bypass flaws in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Improper SAML signature checks allow unauthenticated attackers to gain admin access when FortiCloud SSO is enabled. Patch immediately or disable FortiCloud SSO as a temporary safeguard.
Threat summary
On December 9, Fortinet issued advisory FG‑IR‑25‑647 addressing two vulnerabilities in FortiCloud Single Sign‑On (SSO) that affect certain versions of:
- FortiOS
- FortiWeb
- FortiProxy
- FortiSwitchManager
The flaws, tracked as CVE‑2025‑59718 and CVE‑2025‑59719, have been assigned a CVSS v3 score of 9.1 out of 10, classified as critical.
Both vulnerabilities enable unauthenticated bypass of SSO login due to improper cryptographic signature verification (CWE‑347) in Security Assertion Markup Language (SAML) messages. When the FortiCloud SSO login feature is enabled, a threat actor could exploit the issue by sending a crafted SAML message.
The feature is not enabled by default; however, when an administrator registers a device to FortiCare through the graphical user interface, FortiCloud SSO login is automatically enabled.
Insights & mitigations
Successful exploitation grants administrative access, allowing full control of affected devices and compromise of sensitive data. In some scenarios. this could lead to complete takeover of Fortinet infrastructure, including firewalls and web application gateways, resulting in loss of confidentiality, integrity, and availability.
Fortinet’s advisory lists the fixed versions, and upgrading to a non-affected release remains the most effective way to reduce exposure. For environments unable to patch immediately, recommended interim mitigations include disabling FortiCloud SSO where it isn’t required, restricting external access to FortiCloud SSO login interfaces, and enforcing multi-factor authentication at the identity-provider level.
By correlating network traffic, endpoint behavior, and indicators of compromise, Field Effect MDR detects and blocks exploit attempts, flagging anomalies such as suspicious SAML authentication activity and unauthorized administrative access.
Field Effect MDR clients will receive an ARO alert identifying any vulnerable instances, along with remediation guidance.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)
.jpg)