Full Report
Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution. The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and
Analysis Summary
# Vulnerability: Critical Fortinet Flaws Allow Authentication Bypass and Code Execution via Cryptographic Signature Issues
## CVE Details
- CVE ID: CVE-2025-59718, CVE-2025-59719
- CVSS Score: 9.8 (Critical)
- CWE: CWE-347 (Improper Verification of Cryptographic Signature)
## Affected Systems
- Products: FortiOS, FortiWeb, FortiProxy, FortiSwitchManager
- Versions: Not explicitly listed, but applies where the FortiCloud SSO login feature is enabled.
- Configurations: **Requires the FortiCloud SSO login feature to be enabled.** This occurs when an administrator registers the device to FortiCare and has not disabled the toggle "Allow administrative login using FortiCloud SSO" during registration. Default factory settings are not vulnerable if this feature remains disabled.
## Vulnerability Description
These vulnerabilities relate to an Improper Verification of Cryptographic Signature flaw. If successfully exploited, an unauthenticated attacker can bypass the FortiCloud Single Sign-On (SSO) login authentication by sending a specially crafted SAML (Security Assertion Markup Language) message to the affected device. This could ultimately lead to authentication bypass and potential code execution depending on the specific product context, though the documented primary path detailed involves authentication bypass.
## Exploitation
- Status: **Not explicitly confirmed exploited in the wild**, but the severity suggests high risk.
- Complexity: Low (as it targets unauthenticated access, though configuration dependency exists).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Authentication bypass facilitates unauthorized access)
- Integrity: High (Authentication bypass leads to potential unauthorized changes)
- Availability: High (Potential for unauthorized access impacting service availability)
## Remediation
### Patches
- Patches are available from Fortinet, detailed in their advisories (reference required for specific version numbers). Update affected products to the latest patched versions immediately.
### Workarounds
Organizations are strongly advised to disable the FortiCloud login feature if it is currently enabled:
1. **GUI Method:** Navigate to `System -> Settings` and switch "Allow administrative login using FortiCloud SSO" to **Off**.
2. **CLI Method:** Execute the following commands:
config system global
set admin-forticloud-sso-login disable
end
## Detection
- **Indicators of Compromise (IoCs):** Review logs for suspicious SAML message activity targeting administrative login endpoints, especially if associated with external FortiCloud SSO configurations.
- **Detection Methods and Tools:** Monitor network traffic and product logs for unexpected or malformed SAML requests attempting authentication against administrative interfaces.
## References
- Vendor Advisory: [fortiguard.fortinet.com/psirt/FG-IR-25-647 (Defanged)](https://fortiguard.fortinet.com/psirt/FG-IR-25-647)