Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in Multiple Fortinet Products

12 December 2025

Fortinet has released security updates to address critical vulnerabilities affecting their FortiOS, FortiWeb, FortiProxy and FortiSwitchManager products. Users and administrators of affected product versions are advised to update to the latest version immediately.

Background

Fortinet has released security updates to address critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) affecting FortiOS, FortiProxy, FortiSwitchManager and FortiWeb. Both vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.0) score of 9.8 out of 10. 

Impact

Successful exploitation of the vulnerabilities could lead to the following:

  • CVE-2025-59718: This vulnerability involves improper verification of cryptographic signatures in versions of Fortinet FortiOS, FortiProxy, and FortiSwitchManager, which could allow an unauthenticated attacker to bypass FortiCloud SSO login authentication via a crafted SAML response message.

  • CVE-2025-59719: This vulnerability involves improper verification of cryptographic signatures in Fortinet FortiWeb, which could allow an unauthenticated attacker to bypass FortiCloud SSO login authentication via a crafted SAML response message.

Affected Products

The vulnerabilities affect the following product versions:  

  • FortiOS

    • 7.0.0 through 7.0.17

    • 7.2.0 through 7.2.11

    • 7.4.0 through 7.4.8

    • 7.6.0 through 7.6.3

  • FortiProxy

    • 7.0.0 through 7.0.21

    • 7.2.0 through 7.2.14

    • 7.4.0 through 7.4.10

    • 7.6.0 through 7.6.3

  • FortiSwitchManager

    • 7.0.0 through 7.0.5

    • 7.2.0 through 7.2.6

  • FortiWeb

    • 7.4.0 through 7.4.9

    • 7.6.0 through 7.6.4

    • 8.0.0

Mitigation

Users and administrators of affected products are advised to update the affected products to the latest version immediately.

Workaround

If patching is not immediately possible, administrators may consider turning off the FortiCloud login feature (if enabled) temporarily until upgrading to a non-affected version. To turn off FortiCloud login, go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off. Alternatively, type the following command in the CLI:

  • config system global

  • set admin-forticloud-sso-login disable

  • end

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-647

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-multiple-fortinet-products-forticloud-sso-login-authentication-bypass

https://nvd.nist.gov/vuln/detail/CVE-2025-59718

https://nvd.nist.gov/vuln/detail/CVE-2025-59719

https://arcticwolf.com/resources/blog/cve-2025-59718-and-cve-2025-59719/

Back to top