FortiCloud SSO SAML Signature Bypass: Anatomy, Impact, and Lessons from a Major Authentication Flaw

A single misstep in authentication can open the floodgates to thousands of network breaches. That’s exactly what happened when security researchers uncovered a critical SAML signature validation flaw in FortiCloud SSO, tracked as CVE-2025-59718 and CVE-2025-59719. Over 25,000 Fortinet devices—spanning FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb—were left exposed to remote attacks, with the United States and India topping the list of at-risk regions.

This vulnerability isn’t just a technical hiccup; it’s a master key for attackers. By forging SAML assertions, cybercriminals can bypass authentication entirely, gaining administrative access without ever needing a password. The scale is staggering: as of December 2025, scans by Shadowserver and independent researchers revealed tens of thousands of vulnerable devices, many of which are critical infrastructure for businesses and government agencies (BleepingComputer).

The incident highlights a growing trend—attackers are increasingly targeting identity and access management systems, knowing that a single breach can unlock a treasure trove of sensitive data. With the rise of AI-driven reconnaissance and the proliferation of IoT devices, the stakes have never been higher. This analysis unpacks how the SAML signature bypass works, the real-world impact on organizations, and what lessons can be drawn for the future of secure authentication.

How Attackers Exploit FortiCloud SSO: The SAML Signature Bypass Explained

Anatomy of the SAML Signature Bypass Vulnerability

The core of the recent FortiCloud SSO vulnerability lies in the improper handling of Security Assertion Markup Language (SAML) authentication, specifically a flaw in the validation of SAML signatures. SAML is a widely used protocol for enabling Single Sign-On (SSO) between identity providers and service providers, allowing administrators to authenticate once and gain access to multiple resources. In the case of Fortinet devices, this feature is intended to streamline access for network administrators. However, the vulnerability tracked as CVE-2025-59718 (affecting FortiOS, FortiProxy, and FortiSwitchManager) and CVE-2025-59719 (affecting FortiWeb) allows attackers to bypass authentication by submitting a maliciously crafted SAML message.

In a secure SAML implementation, the service provider (in this case, the Fortinet device) must strictly validate the digital signature on SAML assertions to ensure they originate from a trusted identity provider and have not been tampered with. The flaw in FortiCloud SSO arises when the device fails to properly validate or enforce the SAML signature, enabling attackers to forge assertions that grant them unauthorized administrative access.

This bypass is particularly dangerous because it does not require valid credentials or prior access; an attacker can remotely exploit the flaw simply by sending a specially crafted SAML response to the device’s web management interface. Once authenticated, the attacker gains the same privileges as a legitimate administrator, with the ability to download sensitive configuration files and manipulate device settings (BleepingComputer).

Attack Workflow: From Discovery to Exploitation

The exploitation process typically unfolds in several distinct stages, each leveraging the public exposure of FortiCloud SSO interfaces and the SAML signature validation flaw:

1. Reconnaissance and Target Identification:
   Threat actors utilize internet scanning tools to identify Fortinet devices with FortiCloud SSO enabled and accessible over the internet. According to Shadowserver, over 25,000 such devices were identified as of December 2025, with more than 5,400 in the United States and nearly 2,000 in India. Macnica researcher Yutaka Sejiyama’s independent scans found over 30,000 exposed devices, highlighting the widespread nature of the risk.

2. Crafting Malicious SAML Assertions:
   Attackers generate SAML assertions that mimic legitimate authentication responses. By exploiting the signature validation flaw, these assertions can be accepted by the device even though they have not been signed by a trusted identity provider. The attacker can specify arbitrary usernames and privileges within the assertion, effectively granting themselves administrative access.

3. Submission to the Web Management Interface:
   The forged SAML assertion is submitted via the device’s web management interface. Since the vulnerable devices do not properly verify the authenticity of the signature, the assertion is accepted, and the attacker is granted access.

4. Post-Exploitation Activities:
   With administrative access, attackers can download system configuration files, which may include hashed passwords, details of network layouts, firewall policies, and information about other internet-facing services. These files can be used for further attacks, lateral movement within the network, or to facilitate ransomware operations (BleepingComputer).

Impact of the Exploit: Privilege Escalation and Data Exposure

The immediate consequence of the SAML signature bypass is unauthorized privilege escalation. Attackers who successfully exploit the vulnerability obtain full administrative rights to the affected Fortinet device. This level of access allows them to:

• Download and Exfiltrate Configuration Files:
  System configuration files often contain sensitive information, including hashed administrator passwords, VPN credentials, and details about network topology. Attackers can use these files to crack password hashes offline, map out the network for further exploitation, and identify additional vulnerable assets.

• Manipulate Security Policies:
  With administrative privileges, attackers can alter firewall rules, disable security features, or create backdoors for persistent access. This can be leveraged to facilitate broader compromises within the victim’s environment.

• Stage Further Attacks:
  The information gleaned from compromised devices can be used to launch phishing campaigns, ransomware attacks, or to pivot to other systems within the network.

The scale of exposure is significant. With tens of thousands of devices accessible from the public internet, the attack surface is vast and global. The lack of information on how many devices have been patched or otherwise secured further exacerbates the risk (Shadowserver).

Techniques Used by Attackers to Evade Detection

Attackers exploiting the SAML signature bypass often employ additional techniques to minimize detection and prolong their access:

• Stealthy SAML Assertion Generation:
  By carefully crafting SAML assertions to closely resemble legitimate authentication traffic, attackers can evade basic anomaly detection systems that look for unusual login patterns.

• Use of Proxies and Anonymization Services:
  To obscure their origin, attackers frequently route their traffic through VPNs, Tor nodes, or compromised servers, making it difficult for defenders to trace the source of the attack.

• Targeted Exploitation Windows:
  Threat actors often time their attacks to coincide with weekends, holidays, or periods of reduced monitoring, increasing the likelihood that their activities will go unnoticed.

• Selective Data Exfiltration:
  Rather than downloading all available data at once, attackers may exfiltrate configuration files and other sensitive information in small increments to avoid triggering alarms related to large data transfers.

These techniques, combined with the inherent stealth of the SAML signature bypass, make detection and response challenging for security teams.

Broader Security Implications and Response Challenges

The exploitation of the SAML signature bypass in FortiCloud SSO devices has broader implications for both organizations and the cybersecurity community:

• Supply Chain and Third-Party Risk:
  Many organizations rely on managed service providers (MSPs) or third-party vendors to administer their Fortinet devices. If these devices are compromised, attackers may gain indirect access to multiple client networks, amplifying the impact of a single exploit.

• Regulatory and Compliance Exposure:
  The exposure of sensitive configuration data and potential unauthorized access to protected information can have serious regulatory consequences, particularly for organizations subject to data protection laws such as GDPR, HIPAA, or industry-specific regulations.

• Patch Management and Asset Discovery:
  The fact that over 25,000 devices remain exposed despite the availability of patches highlights ongoing challenges in vulnerability management. Organizations may lack visibility into their internet-facing assets or may not be aware that FortiCloud SSO is enabled by default upon device registration with FortiCare support (BleepingComputer).

• Incident Response Complexity:
  Once an attacker has obtained administrative access, traditional incident response measures may be insufficient. Attackers can erase logs, disable security controls, or create persistent backdoors, complicating efforts to detect and remediate the compromise.

• Mandated Remediation Timelines:
  In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of actively exploited flaws and mandated that federal agencies patch affected devices within seven days, by December 23, 2025 (BleepingComputer). This underscores the urgency of addressing the issue but also places significant pressure on organizations with large or distributed device fleets.

Evolution of Exploitation Tactics and Lessons for Future SSO Implementations

The exploitation of the FortiCloud SSO SAML signature bypass is part of a broader trend in which attackers increasingly target authentication and identity management systems. The following observations can be drawn from the current wave of attacks:

• Zero-Day and N-Day Exploitation:
  Fortinet products have been frequent targets for both zero-day and recently patched (N-day) vulnerabilities, with attackers moving quickly to weaponize new flaws before organizations can deploy fixes. The rapid exploitation of CVE-2025-59718 and CVE-2025-59719 mirrors previous campaigns against FortiOS SSL VPN and FortiWeb zero-days.

• Targeting of SSO and Federated Identity:
  As organizations increasingly adopt SSO and federated identity solutions to simplify access management, attackers are shifting their focus to these systems, knowing that a single compromise can grant access to a wide range of resources.

• Importance of Rigorous Signature Validation:
  The failure to properly validate SAML signatures is a recurring theme in major security incidents. Robust signature validation, including strict adherence to cryptographic best practices and regular third-party code reviews, is essential to prevent similar vulnerabilities in the future.

• Need for Continuous Monitoring and Asset Inventory:
  Organizations must maintain up-to-date inventories of all internet-facing assets and continuously monitor for the exposure of sensitive interfaces. Automated scanning tools and threat intelligence feeds can help identify and remediate exposed devices before they are exploited.

• User Awareness and Administrative Interface Hardening:
  Given the history of administrative GUI vulnerabilities in FortiOS and related products, organizations should restrict access to management interfaces, enforce strong authentication (such as MFA), and regularly audit administrative accounts and access logs.

The ongoing exploitation of the SAML signature bypass in FortiCloud SSO devices serves as a stark reminder of the critical importance of secure authentication practices and the need for rapid, coordinated response to emerging threats (BleepingComputer).

Final Thoughts

The FortiCloud SSO SAML signature bypass is a wake-up call for anyone relying on single sign-on or federated identity solutions. Attackers are no longer just looking for open doors—they’re exploiting the very locks meant to keep them out. The exposure of over 25,000 devices, many still unpatched despite urgent advisories from agencies like CISA, underscores the persistent challenges of vulnerability management and asset visibility (BleepingComputer).

This incident also spotlights the ripple effects of a single authentication flaw: from privilege escalation and data exfiltration to regulatory headaches and supply chain risks. As organizations race to adopt new technologies—AI, IoT, and cloud-native platforms—the importance of rigorous signature validation, continuous monitoring, and hardened administrative interfaces cannot be overstated. The FortiCloud breach isn’t just a cautionary tale; it’s a blueprint for how attackers will continue to target the identity layer in 2025 and beyond.

References

• BleepingComputer. (2025, December). Over 25,000 FortiCloud SSO devices exposed to remote attacks. https://www.bleepingcomputer.com/news/security/over-25-000-forticloud-sso-devices-exposed-to-remote-attacks/