Fortinet has released an advisory for two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719. These vulnerabilities allow malicious actors to bypass SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices.
The affected products include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Although credentials are typically hashed in network appliance configurations, threat actors can crack hashes offline, especially if credentials are weak.
To mitigate the attack, follow these recommendations:
* Reset Firewall Credentials if Affected
* Limit Access to Management Interfaces of Firewall and VPN Appliances to Trusted Internal Users
* Upgrade to Latest Fixed Version
Fortinet recommends turning off FortiCloud login temporarily until upgrading to a non-affected version. The affected products and their fixed versions are listed below.
| Product | Affected Version | Fixed Version |
| FortiOS 7.6 | 7.6.0 through 7.6.3 | 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | 7.0.18 or above |
| FortiProxy 7.6 | 7.6.0 through 7.6.3 | 7.6.4 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.10 | 7.4.11 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.14 | 7.2.15 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.21 | 7.0.22 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | 7.0.6 or above |
| FortiWeb 8.0 | 8.0.0 | 8.0.1 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.4 | 7.6.5 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.9 | 7.4.10 or above |
Note: The following products are unaffected by the vulnerabilities: FortiOS 6.4, FortiWeb 7.0, and FortiWeb 7.2.
Source: https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719