Cyber Posture

CVE-2025-59718

CriticalCISA KEVActive Exploitation

Published: 09 December 2025

Published
09 December 2025
Modified
17 December 2025
KEV Added
16 December 2025
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0939 92.8th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Description

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through…

more

7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the improper cryptographic signature verification flaw in affected Fortinet products, directly eliminating the SAML authentication bypass vulnerability.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Mandates receiving and implementing Fortinet PSIRT advisories and CISA KEV catalog entries for this known exploited vulnerability to enable rapid remediation.

SI-7 Software, Firmware, and Information Integrity good match
prevent

Enforces integrity verification mechanisms for information such as SAML response messages, comprehensively addressing improper cryptographic signature validation.

Security SummaryAI

CVE-2025-59718 is an improper verification of cryptographic signature vulnerability, classified under CWE-347, affecting multiple Fortinet products. It impacts FortiOS versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.17; FortiProxy versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, and 7.0.0 through 7.0.21; FortiSwitchManager versions 7.2.0 through 7.2.6 and 7.0.0 through 7.0.5. The flaw enables an unauthenticated attacker to bypass FortiCloud SSO login authentication by sending a crafted SAML response message. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation allows bypassing authentication controls, potentially granting unauthorized access to the affected Fortinet devices and enabling high-impact compromises of confidentiality, integrity, and availability.

Fortinet's PSIRT advisory (FG-IR-25-647) details patching and mitigation steps for affected versions. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

Arctic Wolf has reported observing malicious SSO logins following disclosure of CVE-2025-59718 and CVE-2025-59719, indicating real-world exploitation activity.

Details

CWE(s)
CWE-347
KEV Date Added
16 December 2025

Affected Products

fortinet
fortiproxy
7.0.0 — 7.0.22 · 7.2.0 — 7.2.15 · 7.4.0 — 7.4.11
fortinet
fortiswitchmanager
7.0.0 — 7.0.6 · 7.2.0 — 7.2.7
fortinet
fortios
7.0.0 — 7.0.18 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote bypass of FortiCloud SSO via crafted SAML responses due to improper signature verification, enabling exploitation of public-facing applications/management interfaces (T1190, T1210) and forging SAML tokens (T1606.002).

References