Fortinet has officially confirmed active exploitation of critical FortiCloud single sign-on (SSO) authentication bypass vulnerabilities affecting multiple enterprise security appliances.
The company disclosed two vulnerabilities CVE-2025-59718 and CVE-2025-59719 discovered during internal code audits in December 2025, with exploitation attempts now documented in customer environments.
The vulnerabilities stem from improper verification of cryptographic signatures in FortiCloud SSO implementations across FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices.
When enabled, these vulnerabilities allow unauthenticated attackers to bypass login authentication by crafting malicious SAML messages, granting unauthorized administrative access to affected devices.
Notably, FortiCloud SSO is not enabled by default but becomes active when administrators register devices to FortiCare without explicitly disabling the “Allow administrative login using FortiCloud SSO” setting are noted.
Escalating Threat Intelligence
The exploitation landscape shifted dramatically when Fortinet observed a subset of customers reporting suspicious login activity matching initial vulnerability indicators.
More critically, the security team identified exploitation cases on fully patched systems running the latest available releases evidence of an undiscovered attack vector beyond the original vulnerability disclosure.
This finding suggests threat actors have identified additional exploitation paths within Fortinet’s SSO authentication mechanisms.
Fortinet product security is actively investigating the new attack methodology and developing remediations. The company will publish updated advisories as the fix scope and timelines become available.
Security leadership has emphasized that while FortiCloud SSO exploitation dominates observed incidents, the underlying vulnerability affects all SAML-based SSO implementations across vulnerable product versions, creating broader exposure than initially assessed.
The vulnerability impacts multiple product lines across multiple firmware versions. FortiOS 7.0 through 7.6 are affected, with solutions ranging from version 7.0.18 to 7.6.4 and above depending on the branch.
FortiProxy versions 7.0 through 7.6 require updates to 7.0.22, 7.2.15, 7.4.11, or 7.6.4 respectively. FortiWeb 7.4, 7.6, and 8.0 require patching, while FortiSwitch Manager versions 7.0 and 7.2 need upgrades to 7.0.6 and 7.2.7 respectively.
For organizations unable to immediately patch, Fortinet recommends disabling FortiCloud SSO login functionality via System Settings or CLI command: config system global, followed by set admin-forticloud-sso-login disable, then end. This temporary mitigation eliminates the authentication bypass vector while patch deployment proceeds.
Security Implications
The combination of confirmed exploitation, newly discovered attack paths, and multi-product impact creates elevated risk for enterprises relying on Fortinet infrastructure.
Organizations should prioritize vulnerability scanning to identify vulnerable versions, validate patch deployment status, and verify that FortiCloud SSO is either disabled or updated to patched releases.
Network defenders should monitor for anomalous administrative login events, particularly from unexpected geographic origins or timing inconsistent with normal operations.
Fortinet administrators must treat firmware updates as critical and baseline security controls as mandatory until patches are universally deployed.
This incident underscores the importance of consistent SSO security posture across hybrid security architectures and the persistent threat posed by authentication bypass vulnerabilities in enterprise appliances.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.