Fortinet authentication bypass vulnerabilities CVE-2025-59718 & CVE-2025-59719

Published: Thu 11 December, 2025

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

Two (2) Critical authentication bypass vulnerabilities have been disclosed in multiple Fortinet products, tracked as CVE-2025-59718 and CVE-2025-59719. These flaws affect FortiOS, FortiProxy, FortiSwitchManager and FortiWeb when FortiCloud SSO login is enabled, and are rated CVSS 9.8 (Critical).

The Australian Cyber Security Centre (ACSC) has issued a Critical alert and recommends immediate patching and investigation for potential compromise.

Vulnerability details

CVE-2025-59718 – FortiOS, FortiProxy, FortiSwitchManager

• Improper verification of cryptographic signatures in the FortiCloud SSO login flow.
• An unauthenticated attacker can send a crafted SAML response to bypass FortiCloud SSO authentication and gain administrative access.

CVE-2025-59719 – FortiWeb

• Same underlying issue (improper cryptographic signature verification) in FortiWeb’s FortiCloud SSO integration.
• An unauthenticated attacker can similarly bypass FortiCloud SSO login via a malicious SAML message and obtain admin access to FortiWeb.

These issues only affect devices where “Allow administrative login using FortiCloud SSO” is enabled. Fortinet notes this feature is not enabled by default, but it is automatically enabled when devices are registered to FortiCare unless the toggle is explicitly disabled during registration.

Affected products and versions

FortiOS

• 7.0.0 through 7.0.17
• 7.2.0 through 7.2.11
• 7.4.0 through 7.4.8
• 7.6.0 through 7.6.3

FortiProxy

• 7.0.0 through 7.0.21
• 7.2.0 through 7.2.14
• 7.4.0 through 7.4.10
• 7.6.0 through 7.6.3

FortiSwitchManager

• 7.0.0 through 7.0.5
• 7.2.0 through 7.2.6

FortiWeb

• 7.4.0 through 7.4.9
• 7.6.0 through 7.6.4
• 8.0.0

Impact

Successful exploitation of these vulnerabilities allows unauthenticated remote attackers to bypass FortiCloud SSO login and obtain administrative access to affected Fortinet devices. This can lead to:

• Full compromise of firewalls, proxies, WAFs and switch management platforms.
• Modification of security policies, VPN settings, routing and inspection behaviour.
• Theft of credentials, VPN configuration, and network topology information.
• Use of compromised devices as a pivot for lateral movement and deeper network intrusion.

While Fortinet has not yet reported in-the-wild exploitation for these two specific CVEs, similar Fortinet authentication bypass issues (e.g. CVE-2024-55591) have been heavily exploited as zero-days in previous campaigns, reinforcing the need for rapid remediation.

Mitigation actions

1. Identify all Fortinet devices running affected versions of FortiOS, FortiProxy, FortiSwitchManager and FortiWeb.
2. Upgrade to the latest fixed release for each product line as per Fortinet PSIRT advisory FG-IR-25-647 and the FortiGuard security advisories. The FortiGate / Fortinet Upgrade Tool is available to plan a safe upgrade path between releases and avoid unsupported hops.

If immediate patching is not possible, Disable FortiCloud SSO login on all affected devices where it is enabled. This should be treated as a short-term risk reduction only. Devices must still be upgraded to fixed versions.

To turn off FortiCloud login, go to System -> Settings -> Switch
"Allow administrative login using FortiCloud SSO" to Off.

Alternatively, type the following command in the CLI:

config system global
set admin-forticloud-sso-login disable
end

Harden management access

Regardless of patch status:

• Restrict management interfaces to trusted admin networks / VPNs only (no direct internet exposure).
• Enforce strong MFA especially for administrative access.
• Ensure role-based access controls and least-privilege are in place for Fortinet administrators.
• Review and secure any SAML / Identity Provider configurations used with FortiCloud or other SSO providers.

Detection capabilities

Logging & telemetry

• Ensure FortiOS, FortiProxy, FortiSwitchManager and FortiWeb logs – along with relevant firewall, proxy, VPN and IdP logs – are forwarded to a SIEM or other central security monitoring platform.

• Use these logs to detect:

  • Administrative logins via FortiCloud SSO from unusual IPs, geolocations or at unusual times.

  • Sudden spikes in failed vs successful SSO attempts.

  • Unauthorised configuration changes, new admin accounts or changes to SAML / identity-provider settings.

• Correlate Fortinet events with upstream network logs to identify suspicious access to Fortinet management interfaces, especially from external or previously unseen hosts.

If compromise is suspected

• Immediately isolate suspected devices from the network.
• Rebuild or re-image affected Fortinet appliances onto fixed firmware versions.
• Rotate all relevant credentials (local admin, LDAP/AD, VPN accounts, API keys) used by or stored on the compromised devices.
• Consider broader environment threat hunting and incident response activities.

MDR customers: Triskele Labs is actively tuning detections for behaviour consistent with exploitation of CVE-2025-59718 / CVE-2025-59719 and related Fortinet authentication bypass activity across supported log sources.

Vulnerability Management customers: Environments are being assessed for vulnerable Fortinet versions; any exposure will be communicated through priority channels.

References

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-multiple-fortinet-products-forticloud-sso-login-authentication-bypass
• https://fortiguard.fortinet.com/psirt/FG-IR-25-647
• https://docs.fortinet.com/upgrade-tool/fortigate
• https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694