1. Home
  2. Vulnerabilities
  3. CVE-2025-59718
Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2025-59718
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability - [Actively Exploited]
Description

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

INFO

Published Date :

Dec. 9, 2025, 6:15 p.m.

Last Modified :

Dec. 17, 2025, 1:54 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://fortiguard.fortinet.com/psirt/FG-IR-25-647 ; https://docs.fortinet.com/upgrade-tool/fortigate ; https://nvd.nist.gov/vuln/detail/CVE-2025-59718

Affected Products

The following products are affected by CVE-2025-59718 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Fortinet fortios
2 Fortinet fortiswitchmanager
3 Fortinet fortiproxy
: Total Affected Vendor : 1 | Products : 3
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 6abe59d8-c742-4dff-8ce8-9b0ca1073da8
CVSS 3.1 CRITICAL [email protected]
Solution
Update FortiOS and FortiProxy to a fixed version to address SAML bypass.
  • Update FortiOS to a fixed version.
  • Update FortiProxy to a fixed version.
  • Update FortiSwitchManager to a fixed version.
Public PoC/Exploit Available at Github

CVE-2025-59718 has a 6 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-59718.

URL Resource
https://fortiguard.fortinet.com/psirt/FG-IR-25-647 Vendor Advisory
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/ Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-59718 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-59718 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
moften/CVE-2025-59718-Fortinet-Poc

PoC para determinar si Fortinet es vulnerable a CVE-2025-59718 / CVE-2025-59719

Python

Updated: 4 days, 16 hours ago
1 stars 0 fork 0 watcher
Born at : Dec. 27, 2025, 4:24 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
exfil0/CVE-2025-59718-PoC

Fortinet announced two closely related authentication‑bypass vulnerabilities on 9 December 2025. Both flaws involve improper verification of cryptographic signatures (CWE‑347) in the handling of SAML responses for the FortiCloud SSO login feature.

Python

Updated: 1 week, 5 days ago
1 stars 3 fork 3 watcher
Born at : Dec. 17, 2025, 11:33 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
Danmatic8/Projet-1-Veille-Securite

Mise en place d'un système de veille et d'analyse de menaces pour une entreprise du secteur de l'énergie

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : Dec. 15, 2025, 2:42 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
f00dikator/SAML-parser

parse SAML responses from a pcap

Python

Updated: 3 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : Dec. 11, 2025, 2:45 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
Ashwesker/Blackash-CVE-2025-59718

CVE-2025-59718

Python

Updated: 2 weeks, 5 days ago
6 stars 4 fork 4 watcher
Born at : Dec. 11, 2025, 9:55 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
DevGreick/devgreick

None

Python

Updated: 7 hours, 8 minutes ago
1 stars 0 fork 0 watcher
Born at : Oct. 29, 2024, 8:10 p.m. This repo has been linked 11 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-59718 vulnerability anywhere in the article.

  • BleepingComputer
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass

Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability. Fortinet released Fo ... Read more

Published Date: Jan 02, 2026 (1 day, 13 hours ago)
  • CybersecurityNews
Cybersecurity Weekly Recap – PornHub Breach, Cisco 0-Day, Amazon Detains DPRK IT Worker, and more

In a week that revealed the flaws in digital trust, cybersecurity headlines were filled with high-profile breaches, zero-day exploits, and bold nation-state espionage. Attackers claimed to have swiped ... Read more

Published Date: Dec 21, 2025 (1 week, 6 days ago)
  • Help Net Security
Week in review: Exploited zero-day in Cisco email security appliances, Kali Linux 2025.4 released

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: How researchers are teaching AI agents to ask for permission the right way People are starting to hand ... Read more

Published Date: Dec 21, 2025 (1 week, 6 days ago)
  • CybersecurityNews
25,000+ FortiCloud SSO-Enabled Devices Exposed to Remote Attacks

Over 25,000 Fortinet devices worldwide with FortiCloud Single Sign-On (SSO) enabled, leaving them potentially exposed to remote attacks. The finding stems from enhanced device fingerprinting in a new ... Read more

Published Date: Dec 19, 2025 (2 weeks, 1 day ago)
  • BleepingComputer
Over 25,000 FortiCloud SSO devices exposed to remote attacks

Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability ... Read more

Published Date: Dec 19, 2025 (2 weeks, 1 day ago)
  • security.nl
25.000 Fortinet-apparaten met FortiCloud SSO toegankelijk vanaf internet

Zeker 25.000 Fortinet-apparaten met FortiCloud SSO, waarvan bijna vierhonderd in Nederland, zijn toegankelijk vanaf het internet en lopen daarmee risico om te worden aangevallen, aldus The Shadowserve ... Read more

Published Date: Dec 19, 2025 (2 weeks, 1 day ago)
  • The Hacker News
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

Dec 19, 2025Ravie LakshmananVulnerability / Network Security WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. T ... Read more

Published Date: Dec 19, 2025 (2 weeks, 1 day ago)
  • Help Net Security
Cisco email security appliances rooted and backdoored via still unpatched zero-day

A suspected Chinese-nexus threat group has been compromising Cisco email security devices and planting backdoors and log-purging tools on them since at least late November 2025, Cisco Talos researcher ... Read more

Published Date: Dec 17, 2025 (2 weeks, 3 days ago)
  • Help Net Security
Attackers are exploiting auth bypass vulnerability on FortiGate firewalls (CVE-2025-59718)

Attackers are exploiting a recently revealed vulnerability (CVE-2025-59718) to bypass authentication on Fortinet’s FortiGate firewalls, and are leveraging the achieved access to export their system co ... Read more

Published Date: Dec 17, 2025 (2 weeks, 3 days ago)
  • CybersecurityNews
CISA Adds Fortinet Vulnerability to KEV Catalog After Active Exploitation

CISA has officially added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog on December 16, 2025. Designating a critical deadline of December 23, 2025, for organizations to apply nec ... Read more

Published Date: Dec 17, 2025 (2 weeks, 3 days ago)
  • CybersecurityNews
CISA Warns of Gladinet CentreStack and Triofox Vulnerability Exploited in Attacks

CISA issued a critical warning regarding a hardcoded cryptographic key vulnerability affecting Gladinet CentreStack and Triofox file management solutions. The vulnerability, tracked as CVE-2025-14611, ... Read more

Published Date: Dec 17, 2025 (2 weeks, 3 days ago)
  • CybersecurityNews
Chrome Zero-Day Vulnerabilities Exploited in 2025 – A Comprehensive Analysis

Throughout 2025, Google addressed a significant wave of actively exploited zero-day vulnerabilities affecting its Chrome browser, patching a total of eight critical flaws that threatened billions of u ... Read more

Published Date: Dec 17, 2025 (2 weeks, 3 days ago)
  • BleepingComputer
Hackers exploit newly patched Fortinet auth bypass flaws

Hackers are exploiting critical-severity vulnerabilities affecting multiple Fortinet products to get unauthorized access to admin accounts and steal system configuration files. The two vulnerabilities ... Read more

Published Date: Dec 16, 2025 (2 weeks, 4 days ago)
  • The Hacker News
Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass

Dec 16, 2025Ravie LakshmananNetwork Security / Vulnerability Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public discl ... Read more

Published Date: Dec 16, 2025 (2 weeks, 4 days ago)
  • security.nl
'Kritieke Fortinet-lekken 3 dagen na bekendmaking misbruikt bij aanvallen'

Twee kritieke kwetsbaarheden in verschillende Fortinet-producten zijn vorige week misbruikt bij aanvallen, drie dagen nadat ze bekend waren gemaakt. Dat meldt securitybedrijf Arctic Wolf. De twee beve ... Read more

Published Date: Dec 16, 2025 (2 weeks, 4 days ago)
  • CybersecurityNews
Critical FortiGate Devices SSO Vulnerabilities Actively Exploited in the Wild

An active intrusion is targeting critical authentication bypass vulnerabilities in Fortinet’s FortiGate appliances and related products. Threat actors are exploiting CVE-2025-59718 and CVE-2025-59719 ... Read more

Published Date: Dec 16, 2025 (2 weeks, 4 days ago)
  • Daily CyberSecurity
Critical FortiGate SSO Flaw Under Active Exploitation: Attackers Bypass Auth and Exfiltrate Configs

A critical security crisis is unfolding for Fortinet administrators this week. Just days after the vendor disclosed two high-severity vulnerabilities, threat actors have begun actively exploiting them ... Read more

Published Date: Dec 16, 2025 (2 weeks, 5 days ago)
  • TheCyberThrone
CISA adds Chrome ans Sierra Bugs to KEV Catalog

CISA has added two high‑impact vulnerabilities—CVE‑2025‑14174 in Google Chromium and CVE‑2018‑4063 in Sierra Wireless AirLink ALEOS—to the Known Exploited Vulnerabilities (KEV) catalog after confirmin ... Read more

Published Date: Dec 13, 2025 (3 weeks ago)
  • TheCyberThrone
GeoServer CVE-2025-58360 added to CISA KEV

Why this vulnerability mattersCVE-2025-58360 is a recently disclosed XML External Entity (XXE) vulnerability in OSGeo GeoServer that has now been added to the CISA Known Exploited Vulnerabilities (KEV ... Read more

Published Date: Dec 12, 2025 (3 weeks, 2 days ago)
  • TheCyberThrone
Fortinet Critical Bugs CVE-2025-59718 and CVE-2025-59719

December 11, 2025Fortinet recently disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO login feature, tracked as CVE-2025-59718 and CVE-2025-59719. These flaws allow una ... Read more

Published Date: Dec 11, 2025 (3 weeks, 3 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-59718 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Dec. 17, 2025

    Action Type Old Value New Value
    Changed CPE Configuration OR *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.17 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.11 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.8 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.21 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.14 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.10 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.5 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.6 OR *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (excluding) 7.6.4 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.22 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.15 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (excluding) 7.4.11 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (excluding) 7.6.4 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.6 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.7 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.18 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.12 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (excluding) 7.4.9
    Added Reference Type CISA-ADP: https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/ Types: Third Party Advisory
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 16, 2025

    Action Type Old Value New Value
    Added Reference https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718
  • Initial Analysis by [email protected]

    Dec. 09, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.17 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.11 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.8 *cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.21 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.14 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.10 *cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.3 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (including) 7.0.5 *cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.6
    Added Reference Type Fortinet, Inc.: https://fortiguard.fortinet.com/psirt/FG-IR-25-647 Types: Vendor Advisory
  • New CVE Received by [email protected]

    Dec. 09, 2025

    Action Type Old Value New Value
    Added Description A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-347
    Added Reference https://fortiguard.fortinet.com/psirt/FG-IR-25-647
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact