Critical authentication bypass flaws reported in multiple Fortinet products
Take action: If you have Fortinet products, first make sure the management interface is isolated from the internet and accessible only from trusted networks. Then disable FortiCloud SSO login (in System -> Settings or use CLI command config system global set admin-forticloud-sso-login disable end) to prevent authentication bypass attacks. Finally, upgrade to the latest secure versions as soon as possible.
Learn More
Fortinet is reporting critical security vulnerabilities in multiple enterprise products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Vulnerabilities summary:
CVE-2025-59718 and CVE-2025-59719, both (CVSS score 9.1) , are caused by improper verification of cryptographic signatures that allow unauthenticated attackers to completely bypass FortiCloud Single Sign-On (SSO) authentication mechanisms through crafted Security Assertion Markup Language (SAML) messages.
FortiCloud SSO login feature is not enabled in default factory settings, which limits initial exposure. When administrators register devices to FortiCare through the graphical user interface, the FortiCloud SSO login becomes automatically enabled during registration unless administrators explicitly disable the "Allow administrative login using FortiCloud SSO" toggle switch on the registration page. This default-on behavior upon registration means that many deployed Fortinet devices in production environments may be vulnerable without administrators' awareness. Organizations that have registered their Fortinet products with FortiCare should immediately verify their SSO configuration status and take appropriate protective measures.
The faws affect multiple products:
- FortiOS, vulnerable versions include 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, 7.4.0 through 7.4.8, and 7.6.0 through 7.6.3.
- FortiProxy vulnerable versions include 7.0.0 through 7.0.21, 7.2.0 through 7.2.14, 7.4.0 through 7.4.10, and 7.6.0 through 7.6.3.
- FortiSwitchManager vulnerable versions include 7.0.0 through 7.0.5 and 7.2.0 through 7.2.6
- FortiWeb vulnerable versions include 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0.
Administrators can verify their current version using the command cat /opt/gitlab/embedded/service/gitlab-rails/VERSION. Organizations must upgrade to the latest secure versions:
- FortiOS 7.0.18, 7.2.12, 7.4.9, or 7.6.4 and above;
- FortiProxy 7.0.22, 7.2.15, 7.4.11, or 7.6.4 and above;
- FortiSwitchManager 7.0.6 or 7.2.7 and above;
- FortiWeb 7.4.10, 7.6.5, or 8.0.1 and above.
For organizations that cannot immediately upgrade to patched versions, Fortinet recommends temporarily disabling the FortiCloud login feature. Administrators can disable this feature by navigating to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off. Alternatively, they can execute the following command-line interface command: config system global set admin-forticloud-sso-login disable end.
In addition to the critical authentication bypass vulnerabilities, Fortinet also addressed an unverified password change vulnerability tracked as CVE-2025-59808 that allows attackers who have gained access to a victim's user account to reset credentials without password verification, and CVE-2025-64471, which permits threat actors to authenticate using password hashes.
