Analysis of Single Sign-On Abuse on FortiOS

**Executive summary:** Fortinet disclosed two FortiCloud SSO bypass vulnerabilities (CVE-2025-59718, CVE-2025-59719) that permit unauthenticated SAML SSO bypass across multiple Fortinet products; active exploitation has been observed with attacker SSO logins, specific IP addresses, and creation of local admin accounts for persistence, and Fortinet provides IOCs and mitigation recommendations including disabling FortiCloud SSO and restricting admin access.