2 min read
The National Computer Emergency Response Team (NCERT) has issued a critical advisory regarding two severe vulnerabilities in Fortinet FortiCloud Single Sign-On (SSO). These flaws carry a catastrophic CVSS score of 9.8, allowing remote, unauthenticated attackers to bypass login controls completely.
If you rely on FortiCloud SSO to manage your firewalls or switches, your infrastructure is at immediate risk.
The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, affect the FortiCloud SSO authentication mechanism. This feature centrally manages security appliances like firewalls, proxies, and web security devices.
The attack vector is straightforward yet devastating. An attacker requires no privileges and no user interaction. They can simply exploit the SSO login process to gain full administrative access. Once inside, they can execute a complete account takeover, modify security configurations, and access sensitive log data.
NCERT: Fortinet FortiCloud Affected Product Matrix
The vulnerability spans multiple product lines. Check your versions immediately against the table below.
| Product | Vulnerable Versions |
| FortiOS |
7.0.0 – 7.0.17 7.2.0 – 7.2.1 7.4.0 – 7.4.8 7.6.0 – 7.6.3 |
| FortiProxy |
7.0.0 – 7.0.2 7.2.0 – 7.2.1 7.4.0 – 7.4.10 7.6.0 – 7.6.3 |
| FortiSwitchManager |
7.0.0 – 7.0.5 7.2.0 – 7.2.6 |
| FortiWeb |
7.4.0 – 7.4.8 7.6.0 – 7.6.4 All 8.0 Builds |
Immediate Mitigation by NCERT: CLI Workaround
If you cannot patch immediately, you must disable FortiCloud SSO to stop the bleeding. National CERT recommends the following CLI workaround.
Execute the following command on the affected devices’ CLI:
config system global
set admin-forticloud-sso-login disable
end
Alternatively, you can apply a fix using your GUI as well:
System → Settings → Switch → Allow administrative login using FortiCloud SSO → Off
Note: This is a temporary fix. Patching is mandatory.
Indicators of Compromise (IoCs)
Sysadmins must review logs for signs of past exploitation. Look for these specific red flags:
- Unauthorised Logins: Unexpected FortiCloud SSO login events.
- Audit Gaps: Missing logs or abnormal timestamps in admin sessions.
- Network Anomalies: Unrecognised IP addresses accessing admin interfaces.
- Account Changes: Sudden password resets or the creation of new administrator accounts.
The Fix
Fortinet has released patched versions. Update your devices to the following builds immediately:
- FortiOS: 7.0.18+, 7.2.2+, 7.4.9+, 7.6.4+
- Refer to the official Fortinet PSIRT advisory for specific builds for FortiProxy, FortiSwitchManager, and FortiWeb.
