Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication.

Threat actors can exploit the two security flaws tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb) by abusing improper verification of cryptographic signature weaknesses in vulnerable products via a maliciously crafted SAML message.

However, as Fortinet explained in an advisory published today, the vulnerable FortiCloud feature is not enabled by default when the device is not FortiCare-registered.

“Please note that the FortiCloud SSO login feature is not enabled in default factory settings,” Fortinet said. “However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch ‘Allow administrative login using FortiCloud SSO’ in the registration page, FortiCloud SSO login is enabled upon registration.”

To protect their systems against attacks exploiting these vulnerabilities, admins are advised to temporarily disable the FortiCloud login feature (if enabled) until they upgrade to a non-vulnerable version.

To disable FortiCloud login, navigate to System -> Settings and switch “Allow administrative login using FortiCloud SSO” to Off. Alternatively, you can run the following command from the command-line interface:

config system global
set admin-forticloud-sso-login disable
end

Today, the company also patched an unverified password change vulnerability (CVE-2025-59808) that allows attackers “who gained access to a victim’s user account to reset the account credentials without being prompted for the account’s password,” and another one that can let threat actors authenticate using the hash in place of the password (CVE-2025-64471).

Fortinet security vulnerabilities are frequently exploited (often as zero days) in both ransomware and cyber-espionage attacks.

For instance, Fortinet disclosed in February that the Chinese Volt Typhoon hacking group backdoored a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware after exploiting two FortiOS SSL VPN flaws (CVE-2023-27997 and CVE-2022-42475).

More recently, in August, Fortinet patched a command injection vulnerability (CVE-2025-25256) with publicly available exploit code in its FortiSIEM security monitoring solution, one day after cybersecurity company GreyNoise reported a massive spike in brute-force attacks targeting Fortinet SSL VPNs.

In November, Fortinet warned of a FortiWeb zero-day (CVE-2025-58034) that was actively exploited in attacks, one week after confirming that it had silently patched another massively exploited FortiWeb zero-day (CVE-2025-64446).