CISA reports active exploitation of critical Fortinet authentication bypass flaw
Take action: Now it's urgent, because once again, your Fortinet products are being hacked. If you have Fortinet products, first make sure the management interface is isolated from the internet and accessible only from trusted networks. Then disable FortiCloud SSO login (in System -> Settings or use CLI command config system global set admin-forticloud-sso-login disable end) to prevent authentication bypass attacks. Finally, upgrade to the latest secure versions as soon as possible.
Learn More
CISA reports active exploitation of a critical authentication bypass vulnerabilities affecting multiple Fortinet products. The flaws has been actively exploited in the wild since December 12, 2025, just three days after patches were released.
The flaws are tracked as CVE-2025-59718 (CVSS score 9.8) and CVE-2025-59719 (CVSS score 9.8), improper verification of cryptographic signatures in SAML authentication responses. These flaws allow unauthenticated attackers to bypass FortiCloud SSO login authentication by sending specially crafted SAML messages to vulnerable devices.
Although FortiCloud SSO is disabled by default in factory settings, the feature becomes automatically enabled when administrators register devices to FortiCare through the GUI unless explicitly disabled during registration.
Fortinet strongly recommends that organizations unable to patch immediately should disable the FortiCloud SSO login feature as a temporary mitigation measure. Given the rapid exploitation following disclosure and the ease with which attackers can gain complete administrative control of affected devices, organizations should treat this vulnerability as urgent.
