Sign In
Go back

FortiCloud SSO Login Bypass Vulnerabilities Exploited in the Wild

vuln-intelcvekev
  • Fortinet disclosed two critical vulnerabilities (CVE-2025-59718, CVE-2025-59719) across multiple products on December 9, 2025.
  • The vulnerabilities allow unauthenticated adversaries bypass FortiCloud SSO login authentication. Multiple security firms indicate they’ve observed exploitation in the wild.
  • VulnCheck’s research team has analyzed known public PoCs and determined they are fake or incomplete; defenders should avoid writing or alerting on detections for fake or non-functional PoCs that would not succeed in real-world attacks.

Background

On December 9, 2025, Fortinet published a critical security advisory on two CVEs affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. CVE-2025-59718 and CVE-2025-59719 have identical descriptions and affected products; the vulnerabilities arise from an improper verification of cryptographic signature issue that allows unauthenticated attackers to bypass FortiCloud SSO login authentication “via a crafted SAML message,” if FortiCloud SSO login is enabled on the device.

Per the vendor advisory:
> Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page, FortiCloud SSO login is enabled upon registration.

Both vulnerabilities were discovered internally at Fortinet and were not (to our current knowledge) exploited in the wild at time of disclosure.

Reports of exploitation in the wild

Security firms Arctic Wolf and Huntress have both indicated they’ve observed malicious activity related to these issues; Arctic Wolf said they began seeing “malicious SSO logins on Fortigate appliances” on December 12, three days after the CVEs were disclosed. Huntress also noted specific post-exploitation behavior, namely that adversaries are dumping exploited device configurations after bypassing SSO authentication. Both vulnerabilities were added to VulnCheck KEV as of December 15, based on the Arctic Wolf report. CISA added CVE-2025-59718 (but not the second CVE) to their KEV on December 16.

VulnCheck research observations

Based on our team’s analysis, the two public PoCs for CVE-2025-59718 (as of December 18) are fake or otherwise incomplete. Neither was functional in testing across a range of affected products and configurations. As of 8 AM EST on December 18, we’re not aware of any valid public PoCs for either vulnerability.

We’ve observed a relatively high degree of chatter across social media platforms and industry groups about exploitation of one or both CVEs. At least a subset of these claims, however, appears to be based on detections of non-functional PoCs, meaning that those attacks would not succeed in a real-world environment. Threat research and security teams should avoid relying on detections written against known-fake or otherwise invalid PoCs.

Our team also developed targeted ASM queries for Initial Access Intelligence customers that look for the FortiCloud SSO login button on the system's login page — a UI button that's present only if the FortiCloud SSO feature is enabled as a login option. In our testing, the button disappeared once the feature was disabled. Interestingly, exposure results using this method are extremely low (under 100 at most), and in Shodan's case absent altogether.

Mitigation guidance

A full list of affected products and versions is available in the vendor advisory. Organizations should disable the FortiCloud login feature until they are able to update to a fixed version and look for unexpected logins, particularly for the admin user. Updating to a fixed version, of course, does not eradicate threat actors from compromised environments.

About VulnCheck

The VulnCheck research team is always looking for new vulnerabilities to analyze and curate. For more research like this check out our blogs Frost Checks First: Selective Exploitation, Reacting to Shells: React2Shell Variants and the CVE-2025-55182 Exploit Ecosystem, and Fortinet FortiWeb Exploitation Hits Silently Patched Vulnerability.

Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
  • Vulnerability Prioritization
    Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
  • Early Warning System
    Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.
Schedule a Demo