Analysis

Fortinet on December 9, 2025 disclosed two critical authentication-bypass vulnerabilities (CVE-2025-59718, CVE-2025-59719) impacting FortiOS, FortiWeb, FortiProxy and FortiSwitchManager that allow an unauthenticated actor to bypass FortiCloud SSO via a crafted SAML message when the feature is enabled. Fortinet notes FortiCloud SSO is disabled by factory default but is automatically enabled when an administrator registers a device to FortiCare via the GUI unless the "Allow administrative login using FortiCloud SSO" toggle is turned off. Affected release windows and fixed versions are explicitly published: FortiOS 7.6.0–7.6.3 fixed in 7.6.4+, 7.4.0–7.4.8 fixed in 7.4.9+, 7.2.0–7.2.11 fixed in 7.2.12+, 7.0.0–7.0.17 fixed in 7.0.18+; FortiProxy, FortiWeb and FortiSwitchManager have analogous fixed release thresholds and FortiOS 6.4, FortiWeb 7.0 and 7.2 are unaffected. Fortinet and Arctic Wolf advise immediate upgrade to the listed fixed versions or temporarily disabling FortiCloud SSO via System → Settings or the provided CLI. There is no known in-the-wild exploitation and no public proof-of-concept at this time, but the advisory and historical targeting of Fortinet products increase the probability that threat actors will attempt to weaponize these flaws as an initial-access vector. The public guidance, fixed-release availability and a simple temporary mitigation reduce near-term systemic risk, but customer remediation timelines, patch adoption rates and any future PoC/exploitation will be the primary drivers of operational impact. Market signals show a moderately negative sentiment and a modest market-impact score (0.35), implying potential short-term reputational or service-cost headwinds for Fortinet if patching is slow or incidents follow.