Fortinet Warns of Critical Fortinet FortiCloud SSO vulnerability: Login Authentication Bypass Flaws

In a significant security advisory released in December 2025, Fortinet has alerted administrators and cybersecurity teams to two critical vulnerabilities affecting the FortiCloud Single Sign-On (SSO) login mechanism across multiple Fortinet products. These flaws could allow unauthenticated attackers to bypass login authentication, potentially granting full administrative access without valid credentials — a serious concern for any organization relying on Fortinet devices for secure network access.

What’s the Issue?

Fortinet’s advisory (FG-IR-25-647) covers two related vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719. Both stem from an improper verification of cryptographic signatures in the FortiCloud SSO authentication flow. If the feature is enabled, an attacker can craft a fraudulent SAML (Security Assertion Markup Language) message that the system mistakenly accepts as legitimate, effectively bypassing the authentication entirely.

Affected products include:

  • FortiOS (the operating system for Fortinet firewalls)

  • FortiWeb (web application firewall)

  • FortiProxy (secure web gateway)

  • FortiSwitchManager (management system for FortiSwitches)

These vulnerabilities have been assigned critical severity ratings — with CVSS scores nearing the top of the scale — indicating their potential for widespread impact if left unaddressed.

Why This Matters

Single Sign-On is designed to simplify access by allowing administrators to authenticate through a trusted identity provider once and then manage multiple systems. However, when a flaw allows that very mechanism to be circumvented, the security of the entire network can be compromised.

The exploitation of these vulnerabilities would let attackers gain administrator-level access, potentially allowing them to:

  • Change critical configurations

  • Disable security controls

  • Extract sensitive data

  • Pivot further into the network infrastructure

All of this could occur without the need for a valid password or MFA challenge — a worrying scenario in high-security environments.

FortiCloud SSO: Enabled by Default During Registration

By default, FortiCloud SSO is disabled in factory settings. However, once a device is registered with FortiCare (Fortinet’s subscription service), the SSO login feature is automatically turned on unless the administrator explicitly disables it. This behavior means that many deployed devices could be running with the vulnerable feature enabled without their operators realizing it.

Mitigation and Patching

Fortinet has already released software updates addressing both CVE-2025-59718 and CVE-2025-59719. Immediate patching is the most effective way to protect systems against exploitation.

Recommended steps for administrators:

  1. Apply the latest firmware or software updates to all affected products.

  2. Disable FortiCloud SSO login until patches can be applied:

    • In the GUI, go to System → Settings → Allow administrative login using FortiCloud SSO and switch this to Off.

    • Or via CLI:

      config system global set admin-forticloud-sso-login disable end

  3. Restrict access to administrative interfaces and avoid exposing SSO endpoints to the public internet.

  4. Implement additional authentication layers like Multi-Factor Authentication (MFA) wherever possible.

Disabling the feature temporarily reduces exposure while upgrades are staged across an environment.

Key Takeaways for Security Teams

  • Act now: Critical vulnerabilities like these demand immediate attention — especially in enterprise networks.

  • Review your configurations: Assess whether FortiCloud SSO is enabled and whether it’s necessary for your operations.

  • Stay current: Regularly applying security patches remains one of the best defenses against emerging threats.

As attackers increasingly target authentication mechanisms, organizations must ensure that even convenience features don’t become entry points for compromise. Fortinet’s advisory is a timely reminder that security vigilance and rapid remediation are essential to maintaining a robust defensive posture.