Listen to this Post
Introduction
A new wave of security alerts has swept through the cybersecurity community after Fortinet confirmed two severe vulnerabilities affecting key products that power security infrastructures worldwide. These flaws, hidden deep in the FortiCloud SSO authentication process, open the door for attackers to slip past identity checks with maliciously crafted SAML messages. What follows is a closer look at what happened, why it matters, and how these weaknesses connect to a broader pattern of repeated targeting of Fortinet technologies by advanced threat groups.
Main Summary
A critical security update from Fortinet has revealed two high-risk vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, allowing attackers to bypass FortiCloud SSO authentication by exploiting weak cryptographic signature verification. Tracked as CVE-2025-59718 and CVE-2025-59719, these flaws enable adversaries to send manipulated SAML messages that trick vulnerable devices into allowing unauthorized administrative access. According to Fortinet, the FortiCloud SSO feature is disabled by default unless a device is manually registered to FortiCare, but once enabled, it becomes a potential attack path unless administrators turn off the SSO toggle during registration.
Administrators are now urged to disable FortiCloud SSO if activated, at least until patched to a secure version. This can be done through the GUI under System and Settings or via a CLI command that disables FortiCloud SSO login. Alongside these issues, Fortinet also fixed two additional vulnerabilities: CVE-2025-59808, which lets attackers reset account credentials without entering the existing password, and CVE-2025-64471, allowing logins using password hashes instead of plain credentials.
These incidents highlight a recurring trend. Fortinet appliances continue to be a favorite target for ransomware actors and state-backed espionage groups. Earlier cases include the Chinese-based Volt Typhoon operation, where attackers infiltrated a Dutch Ministry of Defence network using custom Coathanger malware after leveraging older FortiOS VPN flaws. More recently, FortiSIEM and FortiWeb vulnerabilities have been weaponized quickly, sometimes even before public disclosure. In one notable case, exploit code for CVE-2025-25256 appeared online within days, sparking brute-force surges against Fortinet SSL VPN endpoints.
Another FortiWeb zero-day (CVE-2025-58034) surfaced in November, actively attacked just a week after Fortinet admitted it had quietly patched a previously exploited flaw. These repeated incidents underscore an urgent need for organizations to rethink identity and access management structures, especially in environments relying heavily on FortiGate ecosystems. A practical reminder also surfaced in the article’s ending, emphasizing why broken IAM systems can ripple across entire businesses, affecting security, operations, and compliance.
What Undercode Say:
The pattern emerging from Fortinet’s disclosures is not accidental. Security appliances, especially those deployed at the perimeter, are prime targets because they offer attackers a gateway into highly privileged environments. When flaws like compromised SSO authentication arise, they expose the very heart of identity security. Cybercriminals know this, and they strike fast, often within hours of public disclosure or even before vendors issue advisories.
What makes CVE-2025-59718 and CVE-2025-59719 particularly troubling is their exploitation vector. SAML-based authentication should rely on strong signature verification to guarantee identity integrity. Any weakness in this layer can lead to privilege escalation or silent administrative takeover, making the vulnerabilities extremely dangerous in live environments. Even though FortiCloud SSO is disabled by default, the moment an administrator registers devices with FortiCare without adjusting the toggle, risk enters the organization. This small setup detail is the type of misconfiguration attackers love.
The additional flaws patched today reinforce a long-running challenge in IAM security. Allowing password changes without verifying the original password or accepting password hashes as login credentials shows how complex IAM logic can accidentally introduce serious weaknesses. These issues align with a broader truth in cybersecurity: identity systems often fail not because the cryptography is broken but because design assumptions don’t account for creative adversaries.
Threat groups like Volt Typhoon continue to exploit Fortinet devices because they remain widely deployed, deeply integrated, and often difficult to patch quickly in real-world networks. Their successful exploitation of FortiOS SSL VPN vulnerabilities to backdoor a military network demonstrates how attackers chain vulnerabilities with custom malware. These groups invest heavily in reconnaissance, knowing that even small IAM missteps can open up critical infrastructure.
The surge of brute-force attacks against Fortinet SSL VPN portals reflects another harsh reality. Once exploit code becomes public, automated scanners and botnets sweep the internet at massive scale, searching for outdated appliances. Organizations stuck with legacy versions or slow patch cycles are left vulnerable to rapid exploitation.
The recurring zero-day issues in FortiWeb also raise questions about vulnerability discovery processes and how quickly fixes reach customers. Silent patching, while sometimes necessary to prevent exploitation, creates a trust deficit when attackers weaponize flaws before organizations even know they exist.
Ultimately, the message is clear: IAM controls cannot remain siloed or dependent on single security appliances. Identity-based protections work only when authentication layers are resilient, signatures are validated rigorously, and administrative toggles are understood during deployment. The Fortinet ecosystem remains powerful, but the latest incidents highlight the need for disciplined configuration, faster patching workflows, and continuous monitoring for anomalous access attempts.
🔍 Fact Checker Results
CVE details and product impact align with Fortinet’s official advisory. ✅
Past exploitation cases involving Volt Typhoon and Fortinet SSL VPN flaws are publicly documented. ✅
Silent patching and active exploitation of recent FortiWeb issues have been confirmed by Fortinet and security researchers. ✅
📊 Prediction
If organizations continue to rely heavily on edge security appliances without reinforcing IAM fundamentals, similar vulnerabilities will escalate in impact. ⚠️
Expect more Fortinet-related zero-days to surface, especially as threat actors refine SAML and SSO bypass techniques. 🔐
Widespread adoption of strong identity verification and faster patch pipelines will become mandatory, not optional. 📈
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
