Blog

Fortinet has issued a critical advisory on December 9, 2025 concerning two severe authentication‑bypass vulnerabilities that affect a broad spectrum of Fortinet devices, from FortiOS and FortiProxy to FortiWeb and FortiSwitchManager. The flaws—CVE‑2025‑59718 and CVE‑2025‑59719—enable attackers to sidestep FortiCloud Single‑Sign‑On (SSO) authentication by submitting a malicious SAML message that exploits a weakness in cryptographic signature verification. Below is a concise breakdown of the threat, its impact, and the steps you can take to protect your environment.

1. What the Vulnerabilities Are

Fortinet’s FortiCloud SSO feature, when enabled, relies on SAML tokens to authenticate administrators. The vulnerabilities arise because the devices improperly verify the signature of those tokens. If an attacker can craft a forged SAML assertion that the device accepts as valid, they can gain administrative access without knowing any legitimate credentials.

• CVE‑2025‑59718 affects FortiOS, FortiProxy, and FortiSwitchManager.
• CVE‑2025‑59719 targets FortiWeb’s SSO implementation.

Both issues can be exploited only when the FortiCloud SSO feature is turned on. By default, the feature is disabled; it only activates after a device is registered with FortiCare unless the administrator explicitly turns the “Allow administrative login using FortiCloud SSO” toggle off during registration.

2. Why It Matters

The implications are serious:

• Widespread attack surface – Any Fortinet device that can register with FortiCare is potentially vulnerable.
• Zero‑trust bypass – Attackers can send a forged SAML assertion that the device accepts as legitimate, effectively breaking the authentication chain.
• Stealthy exploitation – The flaw can be leveraged without triggering typical login‑failure logs, making detection challenging.

3. Mitigation Steps (Immediate)

1. Disable FortiCloud SSO Login
   In the GUI: Navigate to System → Settings → Allow administrative login using FortiCloud SSO and set it to Off.

   Apply this change to every FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb device in your environment.

2. Apply Security Patches
   Fortinet has released firmware updates that fix both CVE‑2025‑59718 and CVE‑2025‑59719. Verify that each device is running the latest FortiOS or FortiWeb version available from the Fortinet Support portal.
3. Monitor for SAML Traffic
   Enable detailed logging on your FortiGate or FortiProxy to capture SAML authentication requests. Scrutinize logs for unusual or malformed SAML messages that could indicate exploitation attempts.
4. Review FortiCare Registrations
   If FortiCare registration is not essential for your deployment, consider disabling it entirely to remove the feature from the attack surface.

4. Long‑Term Recommendations

• Enforce Multi‑Factor Authentication (MFA) for Administrative Access – Adding MFA creates an additional hurdle that a SAML bypass alone cannot overcome.
• Segment Management Traffic – Isolate administrative interfaces so that even if an account is compromised, lateral movement is restricted.
• Conduct Regular Vulnerability Scans – Periodic scanning helps catch unpatched devices before attackers can exploit them.
• Adopt Zero‑Trust Principles – Treat all authentication mechanisms—whether local or SSO—with the same scrutiny and enforce least‑privilege access.

5. Quick FAQ

• Is my FortiOS device vulnerable if I never registered with FortiCare?
  No. The FortiCloud SSO feature remains disabled by default, so the flaw does not apply.
• Can I keep FortiCloud SSO enabled safely?
  Only if you have applied the latest patch and maintain robust monitoring. The safest approach is to disable it unless you have a compelling business need.
• How do I know if I’ve applied the patch?
  Check the firmware version in the CLI (get system status) and compare it to the version list in Fortinet’s advisory.
• What if I’m on an older product line that won’t receive updates?
  Consider migrating to a supported platform or implementing network segmentation to isolate the device from critical administrative functions.

6. Final Thoughts

Fortinet’s advisory highlights the importance of disabling unnecessary authentication features and staying current with firmware updates. By disabling FortiCloud SSO login and applying the latest patches, you can neutralize the CVE‑2025‑59718 and CVE‑2025‑59719 vulnerabilities before attackers gain a foothold. For a deeper dive into the technical details and mitigation scripts, consult the full Fortinet advisory and the accompanying Bleeping Computer article that covers the same topic in detail.

Remain vigilant, keep your systems patched, and secure your administrative access—preventing this issue is a matter of a quick configuration tweak and timely patching.

For more security insights, follow Critical Path Security and stay ahead of emerging threats.