{"id":6165,"date":"2025-12-11T01:24:42","date_gmt":"2025-12-11T01:24:42","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6165"},"modified":"2025-12-11T01:24:42","modified_gmt":"2025-12-11T01:24:42","slug":"fortinet-admins-urged-to-update-software-to-close-forticloud-sso-holes","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6165","title":{"rendered":"Fortinet admins urged to update software to close FortiCloud SSO holes"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Admins using FortiCloud SSO (single sign on) to authenticate access to Fortinet products are urged to upgrade the software running some of the company\u2019s gateway products as soon as possible, or risk their networks being compromised.<\/p>\n<p>\u201cUsers of Fortinet appliances should, for now, disable SSO until they are able to patch the devices,\u201d advised <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute. \u201cHowever, in the long run, this is not a reason to abandon SSO, and it should be re-enabled after the patch is applied.\u201d<\/p>\n<p>The holes, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-59718\" target=\"_blank\" rel=\"noopener\">CVE-2025-59718<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-59719\" target=\"_blank\" rel=\"noopener\">CVE-2025-59719<\/a>, are cryptographic signature vulnerabilities in the FortiOS operating system that runs Fortinet devices, as well as in the FortiWeb, FortiProxy and FortiSwitchManager products. They allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML (security assertion markup language) message, if that feature is enabled on the device.\u00a0<\/p>\n<p><a href=\"https:\/\/fortiguard.fortinet.com\/psirt\/FG-IR-25-647\" target=\"_blank\" rel=\"noopener\">In an advisory<\/a>, Fortinet notes that the FortiCloud SSO login feature is not enabled in default factory configurations. However, when an administrator registers the device with FortiCare product support from the device\u2019s GUI, single sign-on login is enabled unless they turn off the setting \u201cAllow administrative login using FortiCloud SSO\u201d on the registration page.<\/p>\n<p>Single sign-on allows users to enter one password to access many applications or services, and in this case it enables an admin to oversee several Fortinet devices. Ullrich calls it \u201ca crucial component in providing a unified authentication and access control experience across an organization. Integrating devices like FortiNet\u2019s offerings is important, and organizations are typically advised to enable this feature.\u201d<\/p>\n<p>Fortinet uses SAML as the underlying protocol, he explained, noting, \u201cthis is a complex protocol, and numerous implementations of it have encountered issues in the past. Just yesterday, the same day Fortinet patched its systems, Ruby released a patch for its SAML library.\u201d<\/p>\n<p>He added that SAML implementations often suffer problems due to the intricacies of XML parsing and ambiguities in interpreting the result.<\/p>\n<p>To prevent being affected by this flaw, Fortinet says admins should turn off the FortiCloud SSO login feature (if enabled) until after upgrading to a non-affected version. To turn off FortiCloud login, it said, go to System -&gt; Settings, then toggle \u201cAllow administrative login using FortiCloud SSO\u201d to Off. Alternatively, admins can use the command line interface and enter:<\/p>\n<p><em>config system global<br \/>set admin-forticloud-sso-login disable<br \/>end<\/em><\/p>\n<p>Affected applications should then be updated to the latest versions, and SSO re-enabled.<\/p>\n<p><a href=\"https:\/\/www.digitaldefence.ca\/company\/\" target=\"_blank\" rel=\"noopener\">Robert Beggs<\/a>, head of Canadian-based incident response firm DigitalDefence, said that fortunately the vulnerability was identified by FortiGuard\u2019s internal\u00a0team. \u201cIf it had been announced by a third party, then it would have been more likely a vulnerability that was being actively exploited in the wild,\u201d he observed.\u00a0\u201cIt appears that this may have been identified in time to get a warning out and minimize potential compromises.\u201d<\/p>\n<p>The fact that a pair of vulnerabilities affects a number of a manufacturer\u2019s offerings shows the downside of having a shared code base for their products, Beggs added.\u00a0While on the one hand, it allows the vendor to rapidly scale the number and functionality of products and to ensure integrated operation, on the other hand, the codebase becomes a single point of failure. These FortiGuard issues demonstrate both sides of the coin.<\/p>\n<p>\u201cThe vulnerability is critical, and security teams must apply the recommended steps,\u201d he said.<\/p>\n<p>Fortinet was asked for comment, but did not respond by publication time.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Admins using FortiCloud SSO (single sign on) to authenticate access to Fortinet products are urged to upgrade the software running some of the company\u2019s gateway products as soon as possible, or risk their networks being compromised. \u201cUsers of Fortinet appliances should, for now, disable SSO until they are able to patch the devices,\u201d advised Johannes [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6165","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6165"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6165"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6165\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6166"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}