Number: AL25-019
Date: December 15, 2025
Updated: January 28, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Cyber Centre is aware of critical FortiCloud SSO Login Authentication Bypass vulnerabilitiesFootnote 1 affecting Fortinet products with this login feature enabled. Following the vendor advisory, the Cyber Centre issued AV25-821Footnote 2 on December 9, 2025.
CVE-2025-59718Footnote 3 and CVE-2025-59719Footnote 4 allow an improper verification of cryptographic signature vulnerability (CWE-347)Footnote 5 which may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Update 1
On January 22, 2026, Fortinet released an emergency blog post Footnote 7 regarding new instances of exploitation on devices with the FortiCloud SSO login feature enabled. Although the original patch had been installed, some Fortinet customers reported unexpected login activity on their devices that appeared similar to the previously observed issue. Fortinet's product security team has identified the root cause and is currently working on a fix to remediate this occurrence; however, organizations are advised to block administrative access to the SAML devices from the Internet and restrict access only to the local IP addresses and disabling the FortiCloud SSO feature.
It is important to note that, while exploitation has so far only been observed involving FortiCloud SSO, the issue is applicable to all SAML SSO implementations in Fortinet products.
Indicators of Compromise (IOCs) have been provided in Fortinet's blog post.
End of Update 1
Update 2
On January 27, 2026, Fortinet updated their PSIRT website to include a new CVE-2026-24858Footnote 9 to include additional affected products, versions and Indicators of CompromiseFootnote 10.
On January 27, 2026, in response to the vendor advisory, the Cyber Centre released AV26-059Footnote 11.
On January 27, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to their Known Exploited Vulnerabilities (KEV)Footnote 12.
The Cyber Centre recommends that organizations patch their Fortinet products to the following versions that are affected by CVE-2026-24858:
| Affected product | Affected version | Solution |
|---|---|---|
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.13 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to upcoming 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to upcoming 7.0.19 or above |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to upcoming 7.6.6 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to upcoming 7.4.13 or above |
| FortiProxy 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
End of Update 2
Suggested actions
The Cyber Centre recommends that organizations patch their Fortinet products to the following versions:
| Affected product | Affected version | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | Upgrade to 7.0.18 or above |
| FortiProxy 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.14 | Upgrade to 7.2.15 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.21 | Upgrade to 7.0.22 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
| FortiWeb 8.0 | 8.0.0 | Upgrade to 8.0.1 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
If patching is not possible at this time, the Cyber Centre strongly recommends that organizations follow Fortinet customer guidance for mitigation adviceFootnote 1, which involves turning off the FortiCloud login feature (if enabled) temporarily until upgrading to a non-affected version.
In addition, the Cyber Centre also strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topicsFootnote 6.
- Patching operating systems and applications
- Segment and separate information
- Isolating Web-Facing applications
Should activity matching the content of this alert is discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.
Update 1
Recommended mitigation measures:
- Disable FortiCloud SSO on all Fortinet devices if you do not require this feature.
- Prevent unrestricted remote administrative access to any internet exposed edge network devices.
- Use out of band access or apply a local-in policy to restrict IP addresses accessing the administrative interface.
- Analyze logs and configurations for signs of compromise using the IOCs provided in the blog post.
- Review Fortinet's blog post Footnote 7 for additional details if signs of compromise are detected.
Fortinet will update the blog post once a full advisory is available. It is recommended to monitor the Fortinet PSIRT webpage Footnote 8 for updates.
End of Update 1