Fortinet disclosed a critical cryptographic signature verification vulnerability (CVE-2025-59718, CVE-2025-59719) affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allows unauthenticated attackers to bypass FortiCloud SSO login authentication through crafted SAML messages. The vulnerability stems from improper verification of cryptographic signatures (CWE-347) and affects FortiOS versions 7.0.0-7.0.17, 7.2.0-7.2.11, 7.4.0-7.4.8, and 7.6.0-7.6.3, with similar version ranges for other affected products. While FortiCloud SSO is disabled by default in factory settings, the feature automatically enables when administrators register devices to FortiCare unless explicitly disabled via the “Allow administrative login using FortiCloud SSO” toggle during registration. The vulnerability allows complete authentication bypass through malicious SAML message manipulation, granting unauthorized administrative access to affected devices. Fortinet internally discovered the issue through their Product Security team members Yonghui Han and Theo Leleu, with a CVSS v3 score of 9.1 indicating critical severity. Emergency mitigation requires disabling FortiCloud login via System Settings or CLI command “config system global set admin-forticloud-sso-login disable end” until patches are applied. All affected products have received security updates with FortiOS requiring upgrades to versions 7.0.18, 7.2.12, 7.4.9, or 7.6.4 depending on the deployed branch.

Impact: This vulnerability enables unauthenticated attackers to gain full administrative access to critical network security infrastructure without valid credentials. Compromised FortiGate firewalls, FortiWeb WAFs, and FortiProxy systems expose entire network perimeters to unauthorized configuration changes, traffic interception, and security policy manipulation. Organizations face immediate risks of network breach, data exfiltration, and complete security control bypass through exploitation of trusted SSO mechanisms. The automatic enablement during FortiCare registration means many organizations may be unknowingly exposed despite never manually configuring FortiCloud SSO.

Recommendation: Organizations must immediately disable FortiCloud SSO login on all vulnerable devices via “config system global set admin-forticloud-sso-login disable end” command until patches are applied. Prioritize upgrading FortiOS to 7.6.4/7.4.9/7.2.12/7.0.18, FortiProxy to 7.6.4/7.4.11/7.2.15/7.0.22, FortiWeb to 8.0.1/7.6.5/7.4.10, and FortiSwitchManager to 7.2.7/7.0.6 based on current versions. Review FortiCare registration procedures to ensure SSO toggle is explicitly disabled during device onboarding. Use Fortinet’s upgrade path tool at docs.fortinet.com/upgrade-tool to plan coordinated updates across infrastructure.

PCI-SIG disclosed three vulnerabilities (CVE-2025-9612, CVE-2025-9613, CVE-2025-9614) affecting PCIe Base Specification Revision 5.0 and later implementations of Integrity and Data Encryption (IDE) features. The Forbidden IDE Reordering flaw allows Man-in-the-Middle attackers to reorder IDE-protected Transaction Layer Packets without triggering detection at receivers, bypassing integrity protections designed to secure PCIe communications. Delayed Posted Redirection occurs when security modules fail to properly flush or re-key IDE streams during device rebinding, allowing stale write transactions from previous security contexts to leak into new trusted domains. Completion Timeout Redirection enables tag aliasing when Non-Posted Request timeouts release tags back to the pool, potentially delivering completions to incorrect security contexts. The vulnerabilities affect systems implementing IDE and Trusted Domain Interface Security Protocol (TDISP), exposing isolation boundaries between trusted execution environments. Exploitation requires MITM positioning for reordering attacks or timing-based attacks leveraging completion timeouts and device rebinding operations. All three flaws compromise the fundamental security guarantees of IDE protocol, which was designed to protect PCIe transactions from tampering and ensure confidentiality between isolated security domains.

Impact: These vulnerabilities enable attackers to breach isolation between trusted execution environments in systems relying on PCIe IDE for hardware-level security. Transaction reordering attacks violate data integrity protections allowing undetected manipulation of protected communications between PCIe components. Cross-context data leakage through stale transactions compromises confidentiality between isolated security domains, potentially exposing sensitive data from one virtual machine or container to another. Organizations using IDE-enabled hardware for secure computing, confidential computing, or multi-tenant isolation face immediate risks to their security boundaries.

Recommendation: Organizations should review PCI-SIG Engineering Change Notifications (ECN) document 22976 and work with hardware vendors to determine vulnerability exposure in PCIe components. Implement proper IDE stream flushing and re-keying procedures during device rebinding operations to prevent stale transaction leakage. Deploy firmware and driver updates from vendors implementing the ECN mitigations as they become available. Consider additional security layers beyond IDE for critical isolation requirements until patches are widely deployed.

A newly disclosed Apache Tika vulnerability, CVE-2025-66516, carries a CVSS score of 10.0 and significantly expands the scope of a previously reported XXE flaw (CVE-2025-54988). The issue impacts tika-core, tika-parser-pdf-module, and earlier tika-parsers packages across versions 1.13 through 3.2.1, allowing attackers to trigger XML External Entity injection using a crafted XFA object embedded inside a PDF. While earlier reporting suggested the vulnerable entry point was the PDF parser module, maintainers clarified that the root cause and fix reside inside tika-core, meaning organizations that only upgraded parser modules remain exposed. Further review confirmed that older 1.x versions of Tika—which house the PDFParser within the general tika-parsers bundle—were also vulnerable but were not previously included in the affected package list. The flaw allows adversaries to abuse XML entity expansion to read arbitrary files on the server, perform SSRF-like requests, or in some cases chain the issue toward remote code execution depending on how Tika is embedded into downstream applications. Given Tika’s widespread use in document ingestion pipelines, indexing systems, content scanners, and data processing workflows, exploitation risks extend across a broad ecosystem.

Impact: Threat actors can weaponize PDFs containing malicious XFA structures to force server-side file disclosure, internal network probing, or other XXE-driven attacks wherever Tika processes untrusted documents. This may expose sensitive credentials, application configs, IAM tokens, or proprietary data stored on the server, potentially enabling lateral movement or deeper compromise. Because many orgs embed Tika indirectly via search platforms, content management systems, or threat-intel pipelines, they may be unknowingly vulnerable even if Tika is not explicitly deployed.

Recommendation: Organizations should upgrade tika-core and tika-parser-pdf-module to version 3.2.2 or higher, and migrate any remaining 1.x or 2.x parser bundles to fixed releases (parser updates alone do not resolve the flaw unless core is updated). Inventory all applications and dependencies that rely on Tika—directly or via transitive Maven dependencies—and validate that build systems are pulling patched artifacts. Reinforce document-processing workflows with sandboxing, XML entity resolution hardening, and strict isolation of PDF ingestion services. Finally, monitor for suspicious PDF submissions containing XFA objects, anomalous file-read attempts, or unexpected outbound network requests originating from Tika-based services.