CVE-2025-59718
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability - [Actively Exploited]
Description
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
INFO
Published Date :
Dec. 9, 2025, 6:15 p.m.
Last Modified :
Dec. 17, 2025, 1:54 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://fortiguard.fortinet.com/psirt/FG-IR-25-647 ; https://docs.fortinet.com/upgrade-tool/fortigate ; https://nvd.nist.gov/vuln/detail/CVE-2025-59718
Affected Products
The following products are affected by CVE-2025-59718
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 6abe59d8-c742-4dff-8ce8-9b0ca1073da8 | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update FortiOS to a fixed version.
- Update FortiProxy to a fixed version.
- Update FortiSwitchManager to a fixed version.
Public PoC/Exploit Available at Github
CVE-2025-59718 has a 6 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-59718.
| URL | Resource |
|---|---|
| https://fortiguard.fortinet.com/psirt/FG-IR-25-647 | Vendor Advisory |
| https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/ | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-59718 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-59718
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
PoC para determinar si Fortinet es vulnerable a CVE-2025-59718 / CVE-2025-59719
Python
Fortinet announced two closely related authentication‑bypass vulnerabilities on 9 December 2025. Both flaws involve improper verification of cryptographic signatures (CWE‑347) in the handling of SAML responses for the FortiCloud SSO login feature.
Python
Mise en place d'un système de veille et d'analyse de menaces pour une entreprise du secteur de l'énergie
parse SAML responses from a pcap
Python
CVE-2025-59718
Python
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-59718 vulnerability anywhere in the article.
-
The Cyber Express
CISA Adds Five Enterprise Software Flaws to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five enterprise software flaws to its Known Exploited Vulnerabilities (KEV) Catalog in an 18-hour span. On January 22, CISA a ... Read more
-
The Hacker News
Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Fortinet has officially confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. ... Read more
-
CybersecurityNews
Fortinet Confirms Active Exploitation of FortiCloud SSO Authentication Bypass Vulnerability
Fortinet confirms active exploitation of a FortiCloud SSO authentication bypass vulnerability, with a new automated campaign targeting even fully patched FortiGate devices. Cybersecurity firm Arctic W ... Read more
-
The Cyber Express
The Cyber Express Weekly Roundup: FortiOS Exploits, Ransomware, Hacktivist Surge, and EU Telecom Rules
The third week of 2026 highlights a series of cybersecurity events affecting businesses, critical infrastructure, and regulatory compliance. This week, network administrators are grappling with the ex ... Read more
-
BleepingComputer
Fortinet confirms critical FortiCloud auth bypass not fully patched
Days after admins began reporting that their fully patched firewalls are being hacked, Fortinet confirmed it's working to fully address a critical FortiCloud SSO authentication bypass vulnerability th ... Read more
-
The Cyber Express
GitLab Releases Critical Patch Updates to Address Multiple High-Severity Vulnerabilities
GitLab has issued a new GitLab patch release addressing a range of security vulnerabilities and stability issues across multiple supported versions. The latest updates, versions 18.8.2, 18.7.2, and 18 ... Read more
-
Daily CyberSecurity
“New” Path of Attack: Fully Upgraded Fortinet Devices Hit by SSO Exploits
Fortinet is investigating a concerning new wave of attacks targeting its network security devices, where threat actors are successfully compromising systems that have already been fully patched agains ... Read more
-
The Register
FortiGate firewalls hit by silent SSO intrusions and config theft
FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box. That's accordi ... Read more
-
CybersecurityNews
FortiGate Firewalls Hacked in Automated Attacks to Steal Configuration Data
A new cluster of automated malicious activity targeting FortiGate firewall devices. Beginning January 15, 2026, threat actors have been observed executing unauthorized configuration changes, establish ... Read more
-
The Cyber Express
Fortinet Admins Report Active Exploits on “Fixed” FortiOS 7.4.9 Firmware
Network administrators worldwide are scrambling this morning following credible reports that the critical Fortinet Single Sign-On (SSO) vulnerability, tracked as CVE-2025-59718, is being actively expl ... Read more
-
BleepingComputer
Hackers breach Fortinet FortiGate devices, steal firewall configs
Fortinet FortiGate devices are being targeted in automated attacks that create rogue accounts and steal firewall configuration data, according to cybersecurity company Arctic Wolf. The campaign starte ... Read more
-
security.nl
Beheerders melden aanvallen op volledig gepatchte Fortinet FortiGate-firewalls
Volledig gepatchte Fortinet FortiGate-firewalls zijn het doelwit van aanvallen en Fortinet zou inmiddels tegenover klanten hebben bevestigd dat er een update voor het onderliggende probleem wordt ontw ... Read more
-
The Hacker News
Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations
Cybersecurity company Arctic Wolf has warned of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, i ... Read more
-
CybersecurityNews
Fortinet SSO Vulnerability Actively Exploited to Hack Firewalls and Gain Admin Access
A critical vulnerability in Fortinet’s Single Sign-On (SSO) feature for FortiGate firewalls, tracked as CVE-2025-59718, is under active exploitation. Attackers are leveraging it to create unauthorized ... Read more
-
Daily CyberSecurity
New Campaign Targets FortiGate Firewalls with Unauthorized Config Changes
A fresh wave of automated cyberattacks is targeting FortiGate firewalls, exploiting unauthorized access to create backdoors and steal sensitive configuration data. Security researchers at Arctic Wolf ... Read more
-
Help Net Security
Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718?
CVE-2025-59718, a critical authentication bypass flaw that attackers exploited in December 2025 to compromise FortiGate appliances, appears to persist in newer, purportedly fixed releases of the under ... Read more
-
BleepingComputer
Fortinet admins report patched FortiGate firewalls getting hacked
Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls. One of the affected ... Read more
-
europa.eu
Cyber Brief 26-01 - December 2025
Cyber Brief (December 2025)January 5, 2025 - Version: 1TLP:CLEARExecutive summaryWe analysed 368 open source reports for this Cyber Security Brief[^1].Relating to cyber policy and law enforcement, the ... Read more
-
BleepingComputer
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability. Fortinet released Fo ... Read more
-
CybersecurityNews
Cybersecurity Weekly Recap – PornHub Breach, Cisco 0-Day, Amazon Detains DPRK IT Worker, and more
In a week that revealed the flaws in digital trust, cybersecurity headlines were filled with high-profile breaches, zero-day exploits, and bold nation-state espionage. Attackers claimed to have swiped ... Read more
The following table lists the changes that have been made to the
CVE-2025-59718 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Dec. 17, 2025
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.17 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.11 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.8 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.21 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.14 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.10 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.5 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.6 OR *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (excluding) 7.6.4 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.22 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.15 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (excluding) 7.4.11 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (excluding) 7.6.4 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.6 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.7 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.18 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.12 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (excluding) 7.4.9 Added Reference Type CISA-ADP: https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/ Types: Third Party Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 16, 2025
Action Type Old Value New Value Added Reference https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/ Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718 -
Initial Analysis by [email protected]
Dec. 09, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.17 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.11 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.8 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.21 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.14 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.10 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.5 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.6 Added Reference Type Fortinet, Inc.: https://fortiguard.fortinet.com/psirt/FG-IR-25-647 Types: Vendor Advisory -
New CVE Received by [email protected]
Dec. 09, 2025
Action Type Old Value New Value Added Description A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-347 Added Reference https://fortiguard.fortinet.com/psirt/FG-IR-25-647