Fortinet recently published PSIRT advisory FG-IR-25-647 detailing a serious authentication bypass vulnerability affecting multiple Fortinet products when FortiCloud SSO login is enabled. I’m flagging this because it’s critical for organizations relying on Fortinet firewalls and security appliances to protect internal networks and administrative access.
What’s the issue?
Fortinet identified an improper cryptographic signature verification flaw (CWE-347) that can be exploited to bypass FortiCloud Single Sign-On (SSO) authentication. In simple terms:
If FortiCloud SSO login is enabled on your device, an attacker could send a specially crafted SAML response that tricks the appliance into granting access without proper credentials. FortiGuard+1
This affects multiple product lines, including:
- FortiOS (FortiGate firewalls)
- FortiWeb
- FortiProxy
- FortiSwitchManager
The flaw corresponds to CVE-2025-59718 and CVE-2025-59719, both carrying critical severity. FortiGuard+1
Who’s at risk?
- Devices running vulnerable firmware and
- where FortiCloud SSO login has been enabled.
Important note: FortiCloud SSO is not enabled by default on factory settings — but many administrators turn it on during FortiCare registration and forget to disable it. Qualys ThreatPROTECT
Why this matters
Authentication bypass bugs like this are high-impact because they can give an unauthenticated attacker admin-level access without needing a valid username/password. Once inside, attackers could manipulate configuration, pivot deeper into your network, harvest credentials, or circumvent other access controls.
Security monitoring groups have already observed exploitation activity in the wild tied to these CVEs — meaning this isn’t a theoretical risk anymore. NHS England Digital+1
What you should do now
Here’s the practical, no-nonsense guidance:
1. Identify impacted devices.
List all FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager systems that are registered with FortiCloud SSO enabled.
2. Disable FortiCloud SSO login immediately.
If you are unable to patch right now, disabling this feature cuts off the most direct exploitation path. Treat this as temporary risk reduction — not a full fix. Triskele Labs
3. Patch to upgrade levels recommended by Fortinet.
Install the fixed firmware versions provided in the PSIRT advisory. Ensure you validate the build with your change control process and staging validation before rolling into production.
4. Monitor for suspicious admin access.
Review logs for unusual administrative logins or SSO usage patterns. Early detection reduces the damage from successful exploitation.
5. Plan recurring vulnerability patch cycles.
This incident reinforces a simple truth: timely patching isn’t optional. It’s core to reducing your attack surface.
Bottom line
If you’re running Fortinet devices with FortiCloud SSO login enabled — your systems are at real risk right now unless patched or the feature is turned off. This vulnerability bypasses authentication, and that’s as serious as it gets.
If you need help identifying impacted systems, deciding on an upgrade path, or applying mitigations safely, reach out — that’s exactly what we do at Mirazon. Stay safe and stay patched.