FortiCloud SSO Authentication Bypass in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager

Fortinet has released security fixes for four vulnerabilities that affect authentication and login flows across multiple products, including two critical FortiCloud SSO authentication bypass issues in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE‑2025‑59718 and CVE‑2025‑59719) and additional login weaknesses in FortiSOAR (CVE‑2025‑59808) and FortiWeb (CVE‑2025‑64471). As of December 9, 2025, patches are available, and administrators are urged to disable FortiCloud SSO login where in use and upgrade to non‑vulnerable firmware releases as soon as possible.

Overview

The main issues concern how several Fortinet products validate SAML messages used for FortiCloud SSO and how some components handle password changes and password hashes:

• CVE‑2025‑59718 – in FortiOS, FortiProxy, and FortiSwitchManager, an improper verification of cryptographic signatures (CWE‑347) allows an unauthenticated remote attacker to bypass FortiCloud SSO login using a maliciously crafted SAML response.[2]
• CVE‑2025‑59719 – a closely related SAML signature‑verification flaw in FortiWeb enables the same FortiCloud SSO authentication bypass pattern via a forged SAML response.[3]
• CVE‑2025‑59808 – in FortiSOAR PaaS and on‑prem, an unverified password change bug (CWE‑620) allows an attacker who already controls a user account to reset that account’s credentials without being prompted for the existing password.[4][5]
• CVE‑2025‑64471 – in FortiWeb, a “use of password hash instead of password for authentication” weakness (CWE‑836) lets an attacker authenticate by presenting a valid password hash instead of the plaintext password through crafted HTTP/HTTPS requests.[6]

All four vulnerabilities were assigned CVEs on December 9, 2025, with Fortinet identified as the CNA (CVE Numbering Authority).[3][4][6]

Impact

FortiCloud SSO authentication bypass (CVE‑2025‑59718 and CVE‑2025‑59719)

For devices where FortiCloud SSO login is enabled and the management interface is reachable, CVE‑2025‑59718 and CVE‑2025‑59719 are high‑impact, remotely exploitable flaws:

• CVE‑2025‑59718 (FortiOS/FortiProxy/FortiSwitchManager)
  • CVSS v3.1 base score up to 9.8 (Critical), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H according to Fortinet‑sourced scoring.[2]
  • Successful exploitation gives an unauthenticated attacker full administrative access through FortiCloud SSO, enabling configuration changes, VPN and firewall rule manipulation, deployment of backdoors, and lateral movement.
• CVE‑2025‑59719 (FortiWeb)
  • Also rated up to 9.8 (Critical) with the same CVSS v3.1 vector .[3]
  • An attacker can gain administrative control of FortiWeb appliances, potentially altering application‑security policies, tampering with traffic inspection, or exfiltrating configuration and credential data.

In both cases, no prior credentials or user interaction are required, only network access to the affected management interface.

FortiSOAR unverified password change (CVE‑2025‑59808)

CVE‑2025‑59808 does not itself provide initial access; instead, it strengthens persistence and account takeover once an attacker has compromised an account:

• Rated Medium with CVSS v3.1 base scores around 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H).[4][5]
• An attacker controlling a FortiSOAR user account can reset that account’s credentials without proving knowledge of the current password, locking out the legitimate user and maintaining long‑term access.

FortiWeb password‑hash login (CVE‑2025‑64471)

CVE‑2025‑64471 effectively enables a pass‑the‑hash‑style attack path against FortiWeb:

• NVD assigns a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, while Fortinet’s CNA score is 4.9 (Medium) with AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, reflecting disagreement on whether privileges are required to exploit.[6]
• If an attacker can obtain valid FortiWeb password hashes from elsewhere in the environment, they can authenticate using only those hashes, bypassing knowledge of the actual passwords and undermining traditional credential‑based protections.

Affected Products & Versions

The following product and version ranges are listed as vulnerable in Fortinet‑sourced CVE summaries.[2][3][4][6]

CVE‑2025‑59718 – FortiOS, FortiProxy, FortiSwitchManager (FortiCloud SSO auth bypass)

• FortiOS
  • 7.6.0 – 7.6.3
  • 7.4.0 – 7.4.8
  • 7.2.0 – 7.2.11
  • 7.0.0 – 7.0.17
• FortiProxy
  • 7.6.0 – 7.6.3
  • 7.4.0 – 7.4.10
  • 7.2.0 – 7.2.14
  • 7.0.0 – 7.0.21
• FortiSwitchManager
  • 7.2.0 – 7.2.6
  • 7.0.0 – 7.0.5

CVE‑2025‑59719 – FortiWeb (FortiCloud SSO auth bypass)

• FortiWeb
  • 8.0.0
  • 7.6.0 – 7.6.4
  • 7.4.0 – 7.4.9

CVE‑2025‑59808 – FortiSOAR (unverified password change)

• FortiSOAR PaaS
  • 7.6.0 – 7.6.2
  • 7.5.0 – 7.5.1
  • 7.4 – all versions
  • 7.3 – all versions
• FortiSOAR on‑premise
  • 7.6.0 – 7.6.2
  • 7.5.0 – 7.5.1
  • 7.4 – all versions
  • 7.3 – all versions

CVE‑2025‑64471 – FortiWeb (password‑hash authentication)

• FortiWeb
  • 8.0.0 – 8.0.1
  • 7.6.0 – 7.6.4
  • 7.4.0 – 7.4.10
  • 7.2.0 – 7.2.11
  • 7.0.0 – 7.0.11

Exposure & Exploitability

FortiCloud SSO behavior and default settings

Fortinet’s documentation and independent analysis explain that FortiCloud SSO login is not enabled in factory default settings.[1] However, when an administrator registers a device to FortiCare using the graphical user interface, the option “Allow administrative login using FortiCloud SSO” is turned on by default unless the administrator explicitly disables it during registration.[1]

As a result:

• New or existing FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb deployments that were registered via GUI and left this toggle at its default may be unknowingly exposed to FortiCloud SSO‑based auth bypass.
• Any management interface reachable from the internet or an untrusted network, and configured to accept FortiCloud SSO, is a viable target for unauthenticated exploitation of CVE‑2025‑59718 or CVE‑2025‑59719.

Preconditions for each vulnerability

• CVE‑2025‑59718 and CVE‑2025‑59719
  • FortiCloud SSO login must be enabled on the device.
  • The attacker must be able to reach the management interface that handles FortiCloud SSO (typically HTTPS).
  • No valid credentials or user interaction are required; the attacker only needs to deliver a crafted SAML response that bypasses signature checks.[2][3]
• CVE‑2025‑59808 (FortiSOAR)
  • The attacker must have already gained access to a victim’s FortiSOAR account (e.g., via credential theft or session hijacking).
  • Once in control of the account, the attacker can change the account’s password without supplying the original password, solidifying their control.[4][5]
• CVE‑2025‑64471 (FortiWeb)
  • The attacker must obtain valid password hashes for FortiWeb accounts from another source.
  • With those hashes and network access to FortiWeb’s HTTP/HTTPS login endpoint, they can authenticate by supplying the hash instead of the actual password.[6]

Mitigations & Patching

1. Disable FortiCloud SSO login (immediate mitigation)

For organizations that cannot patch instantly, the highest priority is to disable FortiCloud SSO login wherever it is enabled:

• GUI path (FortiOS / FortiProxy / FortiSwitchManager / FortiWeb)
  • Navigate to System → Settings.
  • Turn “Allow administrative login using FortiCloud SSO” to Off.[1]
• CLI example (FortiOS / FortiProxy / FortiSwitchManager)

  From a privileged CLI session, you can disable FortiCloud SSO globally with a configuration command such as:

  config system global
      set admin-forticloud-sso-login disable
  end
  

Apply this change to all affected devices where FortiCloud SSO is active, especially any with management interfaces exposed to the internet or partner networks.

Additionally:

• Restrict management access to VPN‑only or dedicated admin networks.
• Use IP‑based restrictions (trusted hosts / local‑in policies) and multifactor authentication for all administrative accounts.

2. Upgrade paths for FortiCloud SSO auth bypass (CVE‑2025‑59718/59719)

A technical summary of Fortinet’s advisory lists the following minimum fixed versions for the SAML signature‑verification flaws.[1] Always confirm with Fortinet’s official PSIRT notices and upgrade tools before deployment:

• FortiOS
  • 7.6.0–7.6.3 → upgrade to 7.6.4 or later
  • 7.4.0–7.4.8 → upgrade to 7.4.9 or later
  • 7.2.0–7.2.11 → upgrade to 7.2.12 or later
  • 7.0.0–7.0.17 → upgrade to 7.0.18 or later
• FortiProxy
  • 7.6.0–7.6.3 → upgrade to 7.6.4 or later
  • 7.4.0–7.4.10 → upgrade to 7.4.11 or later
  • 7.2.0–7.2.14 → upgrade to 7.2.15 or later
  • 7.0.0–7.0.21 → upgrade to 7.0.22 or later
• FortiSwitchManager
  • 7.2.0–7.2.6 → upgrade to 7.2.7 or later
  • 7.0.0–7.0.5 → upgrade to 7.0.6 or later
• FortiWeb (CVE‑2025‑59719)
  • 8.0.0 → upgrade to 8.0.1 or later
  • 7.6.0–7.6.4 → upgrade to 7.6.5 or later
  • 7.4.0–7.4.9 → upgrade to 7.4.10 or later

Even after patching, consider whether FortiCloud SSO is truly required; if not, leaving it disabled reduces attack surface.

3. FortiSOAR mitigation and patching (CVE‑2025‑59808)

To address the unverified password change issue in FortiSOAR:[4][5]

• Upgrade FortiSOAR PaaS and on‑premise deployments to the latest releases in your branch that incorporate the fix described in Fortinet’s PSIRT advisory FG‑IR‑25‑599.
• In the interim:
  • Enforce multi‑factor authentication on all FortiSOAR accounts.
  • Apply least‑privilege to user roles and integration accounts.
  • Monitor audit logs for unusual password‑change activity (e.g., multiple different accounts changed from the same IP, or changes outside normal work hours).

4. FortiWeb mitigation and patching (CVE‑2025‑64471)

For the password‑hash authentication flaw in FortiWeb:[6]

• Patch FortiWeb to fixed versions identified in Fortinet’s PSIRT advisory FG‑IR‑25‑984 (for the CVE‑2025‑64471 fix) and accompanying release notes.
• Harden credential storage and handling:
  • Ensure password hashes are not stored in logs, exported configuration files, or easily accessible locations.
  • Protect FortiWeb configuration backups and any databases containing credentials with encryption and strict access controls.
• Restrict FortiWeb administrative access to trusted management networks and VPNs and enable MFA where supported.

Timeline

• December 9, 2025
  • Fortinet, acting as CNA, publishes CVEs CVE‑2025‑59718, CVE‑2025‑59719, CVE‑2025‑59808, and CVE‑2025‑64471, along with initial CVSS v3.1 scores and CWE mappings.[2][3][4][6]
  • Independent reporting highlights that FortiCloud SSO login is disabled in factory defaults but becomes enabled by default when devices are registered to FortiCare via the GUI unless the administrator turns off the relevant toggle.[1]

No public evidence has yet been published that these specific CVEs are under active exploitation, but Fortinet devices have historically been high‑value targets, so organizations should treat timely patching as urgent.

References

1. Cyber Security News – FortiOS, FortiWeb, and FortiProxy Vulnerability Lets Attackers Bypass FortiCloud SSO Authentication (summary of FortiCloud SSO auth‑bypass issues and upgrade matrix). (cybersecuritynews.com)
2. CVE‑2025‑59718 – Fortinet FortiOS, FortiProxy, and FortiSwitchManager SAML Signature Verification Flaw Allows FortiCloud SSO Authentication Bypass (Fortinet‑sourced CVE details and CVSS scoring). (cvedetails.com)
3. CVE‑2025‑59719 – Fortinet FortiWeb Cryptographic Signature Verification Bypass Vulnerability (Fortinet‑sourced CVE details and CVSS scoring). (cvedetails.com)
4. CVE‑2025‑59808 – Fortinet FortiSOAR Unverified Password Change Allows Credential Reset Without Authentication (CVE details and Fortinet‑sourced CVSS scoring).[5] (cvedetails.com)
5. CVE‑2025‑59808 – cvefeed.io entry summarizing affected FortiSOAR versions and describing the unverified password change weakness. (cvefeed.io)
6. NVD – CVE‑2025‑64471: Use of Password Hash Instead of Password for Authentication in Fortinet FortiWeb (description, affected versions, and dual CVSS scores from NVD and Fortinet). (nvd.nist.gov)