Fortinet recently issued an urgent advisory regarding two critical security flaws, CVE-2025-59718 and CVE-2025-59719, which impact the authentication processes for FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. These vulnerabilities involve the improper verification of cryptographic signatures within SAML messages used for Single Sign-On. When exploited, these weaknesses allow unauthorized individuals to bypass standard security checks and log into administrative accounts using specially crafted login requests.
While these vulnerabilities are not present in the default settings, they become active when FortiCloud SSO is enabled. Many users inadvertently activate this feature during the device registration process through the FortiCare interface. Security researchers have already observed active exploitation in the wild, with attacks originating from specific IP addresses associated with various cloud service providers. These incidents confirm that the flaws are being used for malicious purposes rather than simple security scanning.
The primary objective of these attacks appears to be the theft of system configuration files from compromised admin accounts. These files are highly sensitive as they contain detailed information about network layouts, firewall policies, routing tables, and internet-facing services. Furthermore, configuration files often store hashed passwords which, if weak, can be cracked by attackers to gain deeper, long-term access to the internal network infrastructure.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Fortinet has released several firmware updates to address these issues across its product line, including specific versions of FortiOS, FortiProxy, and FortiWeb. For organizations unable to apply patches immediately, the recommended mitigation is to manually disable the FortiCloud SSO administrative login feature within the system settings. This temporary measure prevents attackers from using the forged login method to gain entry while the system remains on an older version.
In addition to patching, security experts recommend that administrators monitor their system logs for any unusual Single Sign-On activity. If a breach is suspected, it is vital to rotate all firewall credentials and administrative passwords immediately. To further harden the environment, management access to firewalls and VPNs should be restricted to trusted internal networks only, reducing the overall attack surface available to external threats.
Source: Hackers Exploit Newly Patched Fortinet Authentication Bypass Flaws
Good breakdown of the attack vector. The fact that configuration file theft is the primary goal makes sense becuase those files are basically a complete map of the defensive perimeter plus credential hashes. What's alarming is the opt-in during device registration that most admins probably don't even register as enabling SSO. In my experince, default-off features that get silently toggled during setup flows are where alot of enterprise security gaps hide. The mitigation advice to restrict management access to internal networks should really be standard practice regardless of this CVE, but worth repeating given how many orgs still expose admin interfaces publicly.