NCERT Alert: Fortinet FortiCloud Flaw Allows Full Admin Takeover

The National Computer Emergency Response Team (NCERT) has issued a critical advisory regarding two severe vulnerabilities in Fortinet FortiCloud Single Sign-On (SSO). These flaws carry a catastrophic CVSS score of 9.8, allowing remote, unauthenticated attackers to bypass login controls completely.

If you rely on FortiCloud SSO to manage your firewalls or switches, your infrastructure is at immediate risk.

The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719, affect the FortiCloud SSO authentication mechanism. This feature centrally manages security appliances like firewalls, proxies, and web security devices.

The attack vector is straightforward yet devastating. An attacker requires no privileges and no user interaction. They can simply exploit the SSO login process to gain full administrative access. Once inside, they can execute a complete account takeover, modify security configurations, and access sensitive log data.

NCERT: Fortinet FortiCloud Affected Product Matrix

The vulnerability spans multiple product lines. Check your versions immediately against the table below.

Product	Vulnerable Versions
FortiOS	7.0.0 – 7.0.17 7.2.0 – 7.2.1 7.4.0 – 7.4.8 7.6.0 – 7.6.3
FortiProxy	7.0.0 – 7.0.2 7.2.0 – 7.2.1 7.4.0 – 7.4.10 7.6.0 – 7.6.3
FortiSwitchManager	7.0.0 – 7.0.5 7.2.0 – 7.2.6
FortiWeb	7.4.0 – 7.4.8 7.6.0 – 7.6.4 All 8.0 Builds

Immediate Mitigation by NCERT: CLI Workaround

If you cannot patch immediately, you must disable FortiCloud SSO to stop the bleeding. National CERT recommends the following CLI workaround.

Execute the following command on the affected devices’ CLI:

config system global
set admin-forticloud-sso-login disable
end

Alternatively, you can apply a fix using your GUI as well:

System → Settings → Switch → Allow administrative login using FortiCloud SSO → Off

Note: This is a temporary fix. Patching is mandatory.

Indicators of Compromise (IoCs)

Sysadmins must review logs for signs of past exploitation. Look for these specific red flags:

• Unauthorised Logins: Unexpected FortiCloud SSO login events.
• Audit Gaps: Missing logs or abnormal timestamps in admin sessions.
• Network Anomalies: Unrecognised IP addresses accessing admin interfaces.
• Account Changes: Sudden password resets or the creation of new administrator accounts.

The Fix

Fortinet has released patched versions. Update your devices to the following builds immediately:

• FortiOS: 7.0.18+, 7.2.2+, 7.4.9+, 7.6.4+
• Refer to the official Fortinet PSIRT advisory for specific builds for FortiProxy, FortiSwitchManager, and FortiWeb.