Inside the Fortinet SSO Flaws: How SAML Signature Weaknesses Led to Admin Compromise

A single cryptographic misstep can turn a trusted security appliance into an open door for attackers. That’s exactly what happened with Fortinet’s SSO implementation, where two vulnerabilities—CVE-2025-59718 and CVE-2025-59719—allowed hackers to bypass authentication and seize administrative control. These flaws, rooted in the improper validation of SAML signatures, highlight how even widely adopted protocols like SAML can become Achilles’ heels when not implemented with cryptographic rigor. The fallout was swift: attackers exploited the bugs within days of disclosure, targeting organizations that unknowingly had FortiCloud SSO enabled—a feature often activated automatically during device registration. The incident underscores the high stakes of federated identity security and the importance of rapid patching, as detailed in BleepingComputer’s coverage.

Inside the Fortinet Auth Bypass: How SAML Signature Flaws Opened the Door

Anatomy of the SAML Signature Verification Weakness

The vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719 both stem from improper handling of cryptographic signatures in Security Assertion Markup Language (SAML) messages. SAML is widely used for enabling Single Sign-On (SSO) across enterprise environments, relying on the integrity and authenticity of cryptographically signed assertions to grant access to protected resources.

In the affected Fortinet products, the SAML implementation failed to rigorously validate the cryptographic signatures attached to SAML assertions. Specifically, the flaws allowed attackers to craft malicious SAML assertions that bypassed signature verification checks. This means that an attacker could forge a SAML assertion, present it to the Fortinet device, and be granted administrative access without possessing valid authentication credentials or cryptographic keys.

The technical root cause lies in the insufficient verification of the digital signature’s authenticity and integrity. In a secure SAML workflow, the recipient (in this case, the Fortinet device) should verify that the assertion was signed by a trusted identity provider and that the content has not been tampered with. The vulnerabilities allowed for the acceptance of unsigned or improperly signed assertions, effectively nullifying the security guarantees of SAML-based SSO.

Exploitation Workflow: From Assertion Forgery to Admin Access

Attackers leveraging these flaws followed a multi-step exploitation workflow:

1. Reconnaissance: Attackers first identified Fortinet devices with FortiCloud SSO enabled. This feature, while not active by default, is automatically enabled during device registration via the FortiCare user interface unless explicitly disabled (BleepingComputer).
2. Assertion Crafting: Using knowledge of the SAML protocol and the specifics of Fortinet’s implementation, attackers generated forged SAML assertions. These assertions contained the necessary attributes to impersonate an administrator but were either unsigned or signed with an attacker-controlled key.
3. Submission and Bypass: The crafted assertion was submitted to the Fortinet device’s SSO endpoint. Due to the signature verification flaw, the device accepted the assertion and granted administrative access without requiring valid credentials.
4. Post-Exploitation Actions: Once inside, attackers accessed the web management interface and performed privileged actions, such as downloading system configuration files, which could include hashed passwords, network topology, firewall rules, and other sensitive data.

This workflow demonstrates how a single cryptographic oversight in SAML processing can lead to full administrative compromise, highlighting the critical importance of robust signature validation in federated authentication systems.

Impact Scope: Affected Products, Versions, and Real-World Exploitation

The vulnerabilities affected a broad range of Fortinet products, including FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. However, not all versions were susceptible. According to Fortinet’s advisory, the following versions were immune:

• FortiOS 6.4
• FortiWeb 7.0 and 7.2

All other major versions, unless patched to the latest releases (e.g., FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+), remained vulnerable. The attack surface was further limited to devices with FortiCloud SSO enabled, but this feature’s automatic activation during device registration meant that many organizations were unknowingly exposed.

Real-world exploitation was observed beginning December 12, 2025. Cybersecurity firm Arctic Wolf reported that attacks originated from IP addresses associated with The Constant Company, BL Networks, and Kaopu Cloud HK. Attackers specifically targeted administrative accounts, leveraging the SAML flaws to gain privileged access and exfiltrate configuration files (BleepingComputer). The malicious activity was not limited to benign scanning; the attackers demonstrated intent to leverage the stolen data for further campaigns.

Attack Surface Expansion: Automatic SSO Activation and Enterprise Risk

A unique aspect of these vulnerabilities was the manner in which the attack surface was unintentionally broadened. Although FortiCloud SSO is not enabled by default, it becomes active automatically when administrators register devices through the FortiCare user interface. This design choice, intended to streamline user experience, inadvertently increased the number of exposed devices.

Many organizations may have been unaware that SSO was enabled on their Fortinet appliances, especially if they followed standard registration procedures. This lack of visibility compounded the risk, as administrators may not have realized their systems were susceptible to SAML assertion forgery attacks. The ease with which attackers could identify and target such devices—combined with the high privileges granted by SSO—amplified the potential impact of the flaws.

The risk was further heightened by the administrative nature of the compromised accounts. Once inside, attackers could alter firewall policies, manipulate routing tables, and potentially pivot to other internal systems, depending on the network architecture and segmentation.

Defensive Gaps and Remediation Strategies

The discovery and exploitation of these SAML signature flaws exposed several defensive gaps in both product design and operational security practices:

• Lack of Rigorous Signature Validation: The core issue was a failure to enforce strict cryptographic signature checks on SAML assertions. This highlights the necessity for vendors to adhere to security best practices and conduct thorough code reviews of authentication-related components.
• Insufficient Visibility into Feature Activation: The automatic enabling of FortiCloud SSO during device registration created a hidden risk. Organizations should maintain comprehensive inventories of enabled features and conduct regular security audits to identify unexpected exposures.
• Delayed Patch Adoption: Despite Fortinet releasing patches and advisories on December 9, 2025, exploitation began within days. This underscores the importance of rapid patch management processes, especially for critical vulnerabilities affecting authentication mechanisms.
• Credential and Access Hygiene: In the aftermath of compromise, Fortinet and Arctic Wolf recommended rotating firewall credentials and restricting management access to trusted internal networks only. These steps are essential to contain the blast radius of successful attacks and prevent lateral movement.

Administrators can mitigate risk by disabling FortiCloud SSO via the management interface (System → Settings → “Allow administrative login using FortiCloud SSO” = Off) until patched versions are deployed (BleepingComputer). Upgrading to the latest secure releases is strongly advised, with supported versions including FortiOS 7.6.4+, FortiProxy 7.6.4+, FortiSwitchManager 7.2.7+, and FortiWeb 8.0.1+.

Lessons for Federated Identity Security

The Fortinet SAML signature flaws serve as a case study in the risks inherent to federated authentication systems. SAML, while powerful, is complex and susceptible to subtle implementation errors. The following lessons can be drawn for both vendors and enterprise defenders:

• Cryptographic Rigor Is Non-Negotiable: Every step in the authentication chain must be subject to strict cryptographic validation. Even minor oversights can result in catastrophic privilege escalation.
• Feature Exposure Awareness: Automatic activation of features—especially those related to authentication—should be accompanied by clear documentation and administrator alerts. Security through obscurity or convenience can backfire.
• Continuous Monitoring and Threat Intelligence: The rapid exploitation observed in this case demonstrates the need for real-time monitoring of authentication events and integration with threat intelligence feeds to detect and respond to anomalous activity.
• Patch Management as a Security Pillar: With attackers moving quickly to weaponize newly disclosed flaws, organizations must prioritize patching critical vulnerabilities in authentication pathways.

The Fortinet incident underscores the ongoing arms race between defenders and attackers in the realm of identity and access management. As federated authentication grows in adoption, so too does the imperative for rigorous, security-first engineering and vigilant operational practices. For further technical details and ongoing updates, refer to BleepingComputer’s coverage.

Final Thoughts

The Fortinet SSO vulnerabilities serve as a stark reminder that convenience and security are often at odds—especially when features like SSO are enabled by default or through seemingly innocuous setup steps. Attackers wasted no time exploiting these flaws, leveraging them for privileged access and data exfiltration. For defenders, the lessons are clear: cryptographic validation must be airtight, feature exposure should be transparent, and patch management needs to be swift and prioritized. As federated authentication becomes more prevalent—especially with the rise of cloud, IoT, and AI-driven infrastructures—the risks of subtle implementation errors only grow. Staying ahead means not just reacting to incidents, but proactively auditing, monitoring, and questioning every link in the authentication chain. For a deeper technical dive and ongoing updates, see BleepingComputer’s reporting.

References

• Hackers exploit newly patched Fortinet auth bypass flaws (CVE-2025-59718, CVE-2025-59719), 2025, BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/