Admins using FortiCloud SSO (single sign on) to authenticate access to Fortinet products are urged to upgrade the software running some of the company’s gateway products as soon as possible, or risk their networks being compromised.
“Users of Fortinet appliances should, for now, disable SSO until they are able to patch the devices,” advised Johannes Ullrich, dean of research at the SANS Institute. “However, in the long run, this is not a reason to abandon SSO, and it should be re-enabled after the patch is applied.”
The holes, CVE-2025-59718 and CVE-2025-59719, are cryptographic signature vulnerabilities in the FortiOS operating system that runs Fortinet devices, as well as in the FortiWeb, FortiProxy and FortiSwitchManager products. They allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML (security assertion markup language) message, if that feature is enabled on the device.
In an advisory, Fortinet notes that the FortiCloud SSO login feature is not enabled in default factory configurations. However, when an administrator registers the device with FortiCare product support from the device’s GUI, single sign-on login is enabled unless they turn off the setting “Allow administrative login using FortiCloud SSO” on the registration page.
Single sign-on allows users to enter one password to access many applications or services, and in this case it enables an admin to oversee several Fortinet devices. Ullrich calls it “a crucial component in providing a unified authentication and access control experience across an organization. Integrating devices like FortiNet’s offerings is important, and organizations are typically advised to enable this feature.”
Fortinet uses SAML as the underlying protocol, he explained, noting, “this is a complex protocol, and numerous implementations of it have encountered issues in the past. Just yesterday, the same day Fortinet patched its systems, Ruby released a patch for its SAML library.”
He added that SAML implementations often suffer problems due to the intricacies of XML parsing and ambiguities in interpreting the result.
To prevent being affected by this flaw, Fortinet says admins should turn off the FortiCloud SSO login feature (if enabled) until after upgrading to a non-affected version. To turn off FortiCloud login, it said, go to System -> Settings, then toggle “Allow administrative login using FortiCloud SSO” to Off. Alternatively, admins can use the command line interface and enter:
config system global
set admin-forticloud-sso-login disable
end
Affected applications should then be updated to the latest versions, and SSO re-enabled.
Robert Beggs, head of Canadian-based incident response firm DigitalDefence, said that fortunately the vulnerability was identified by FortiGuard’s internal team. “If it had been announced by a third party, then it would have been more likely a vulnerability that was being actively exploited in the wild,” he observed. “It appears that this may have been identified in time to get a warning out and minimize potential compromises.”
The fact that a pair of vulnerabilities affects a number of a manufacturer’s offerings shows the downside of having a shared code base for their products, Beggs added. While on the one hand, it allows the vendor to rapidly scale the number and functionality of products and to ensure integrated operation, on the other hand, the codebase becomes a single point of failure. These FortiGuard issues demonstrate both sides of the coin.
“The vulnerability is critical, and security teams must apply the recommended steps,” he said.
Fortinet was asked for comment, but did not respond by publication time.
No Responses