AL25-019 - Vulnerabilities impacting Fortinet products - FortiCloud SSO Login Authentication Bypass - CVE-2025-59718 and CVE-2025-59719 - Update 2
Critical vulnerabilities in Fortinet products allow unauthenticated attackers to bypass FortiCloud SSO and SAML login authentication using crafted SAML response messages. Active exploitation has been observed in the wild, necessitating immediate patching or the disabling of the FortiCloud SSO feature and restriction of internet-facing administrative access.
Key Takeaways
- Critical authentication bypass vulnerabilities (CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) impact multiple Fortinet products with SAML or FortiCloud SSO enabled.
- Active exploitation has been observed in the wild, prompting CISA to add CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog.
- The flaw allows unauthenticated attackers to bypass login authentication via crafted SAML response messages due to improper cryptographic signature verification (CWE-347).
- Immediate patching is required; if patching is impossible, organizations must disable FortiCloud SSO and restrict administrative access from the internet.
Affected Systems
- F
- o
- r
- t
- i
- n
- e
- t
- p
- r
- o
- d
- u
- c
- t
- s
- w
- i
- t
- h
- F
- o
- r
- t
- i
- C
- l
- o
- u
- d
- S
- S
- O
- o
- r
- S
- A
- M
- L
- S
- S
- O
- e
- n
- a
- b
- l
- e
- d
- ,
- i
- n
- c
- l
- u
- d
- i
- n
- g
- F
- o
- r
- t
- i
- A
- n
- a
- l
- y
- z
- e
- r
- (
- 7
- .
- 0
-
- 7
- .
- 6
- )
- ,
- F
- o
- r
- t
- i
- M
- a
- n
- a
- g
- e
- r
- (
- 7
- .
- 0
-
- 7
- .
- 6
- )
- ,
- F
- o
- r
- t
- i
- O
- S
- (
- 7
- .
- 0
-
- 7
- .
- 6
- )
- ,
- F
- o
- r
- t
- i
- P
- r
- o
- x
- y
- (
- 7
- .
- 0
-
- 7
- .
- 6
- )
- ,
- F
- o
- r
- t
- i
- S
- w
- i
- t
- c
- h
- M
- a
- n
- a
- g
- e
- r
- (
- 7
- .
- 0
-
- 7
- .
- 2
- )
- ,
- a
- n
- d
- F
- o
- r
- t
- i
- W
- e
- b
- (
- 7
- .
- 4
-
- 8
- .
- 0
- )
- .
Vulnerabilities (CVEs)
- CVE-2025-59718
- CVE-2025-59719
- CVE-2026-24858
Attack Chain
An unauthenticated attacker targets a Fortinet device with FortiCloud SSO or SAML SSO enabled that is exposed to the internet. The attacker sends a crafted SAML response message to the administrative interface. Due to improper verification of the cryptographic signature (CWE-347), the device accepts the malicious SAML response. This allows the attacker to bypass authentication and gain unauthorized administrative access to the device.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules or specific IOCs are provided in the article, though it references a Fortinet blog post where IOCs are available.
Detection Engineering Assessment
EDR Visibility: None — Fortinet devices are closed network appliances that do not support standard EDR agent installation. Network Visibility: Medium — Network sensors could potentially inspect SAML responses for anomalies, but HTTPS encryption of the administrative interface typically blinds network monitoring unless SSL decryption is in place. Detection Difficulty: Hard — Requires analyzing SAML assertions and cryptographic signatures within encrypted administrative traffic, which is difficult without dedicated appliance logs.
Required Log Sources
- Fortinet System Logs
- Fortinet Authentication Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Search Fortinet authentication logs for unexpected or anomalous FortiCloud SSO logins, particularly from unknown external IP addresses. | Fortinet Authentication Logs | Initial Access | Medium |
Control Gaps
- Lack of EDR visibility on network appliances
- Internet-exposed administrative interfaces
Key Behavioral Indicators
- Unexpected SSO logins
- Logins from anomalous geolocations via SAML
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Disable FortiCloud SSO on all Fortinet devices if you do not require this feature.
- Prevent unrestricted remote administrative access to any internet-exposed edge network devices.
- Use out-of-band access or apply a local-in policy to restrict IP addresses accessing the administrative interface.
Infrastructure Hardening
- Patch all affected Fortinet products (FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiSwitchManager, FortiWeb) to the latest fixed versions as outlined in the advisory.
- Segment and separate information networks.
- Isolate web-facing applications.
User Protection
- N/A
Security Awareness
- Monitor the Fortinet PSIRT webpage for updates regarding CVE-2026-24858 and related vulnerabilities.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078 - Valid Accounts
