"The two flaws, tracked as CVE-2025-59718 and CVE-2025-59719, enable a threat actor to bypass FortiCloud single sign-on (SSO) authentication via a maliciously crafted security assertion markup language (SAML) message. According to Fortinet, they are present in multiple versions of FortiOS, FortiWeb, FortiProxy and FortiSwitchManager. It should be noted that while the vulnerable feature is not enabled by default in factory settings, it does activate automatically if and when a device is registered to the FortiCare tech service"
""As a result, any organisation with indicators of compromise [IOCs] must assume credential exposure and respond accordingly."
Two vulnerabilities, CVE-2025-59718 and CVE-2025-59719, allow bypassing FortiCloud single sign-on (SSO) authentication through a maliciously crafted SAML message. The flaws affect multiple Fortinet products including FortiOS, FortiWeb, FortiProxy and FortiSwitchManager. The FortiCloud SSO feature is disabled by default but becomes active when a device is registered to FortiCare via the GUI unless administrators opt out. CISA warned this attack vector poses significant federal risk. Exploitation activity was observed after a proof-of-concept was posted; Rapid7 observed attempts that result in admin authentication and configuration downloads that may expose hashed credentials. Patches exist and disabling FortiCloud SSO administrative login is recommended during remediation.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]