CVE-2025-59719
Fortinet FortiWeb Cryptographic Signature Verification Bypass Vulnerability
Description
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
INFO
Published Date :
Dec. 9, 2025, 6:15 p.m.
Last Modified :
Dec. 9, 2025, 7:59 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 6abe59d8-c742-4dff-8ce8-9b0ca1073da8 | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update FortiWeb to a patched version.
- Verify SAML response integrity.
- Ensure proper SSO configuration.
Public PoC/Exploit Available at Github
CVE-2025-59719 has a 3 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-59719.
| URL | Resource |
|---|---|
| https://fortiguard.fortinet.com/psirt/FG-IR-25-647 | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-59719 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-59719
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
PoC para determinar si Fortinet es vulnerable a CVE-2025-59718 / CVE-2025-59719
Python
Fortinet announced two closely related authentication‑bypass vulnerabilities on 9 December 2025. Both flaws involve improper verification of cryptographic signatures (CWE‑347) in the handling of SAML responses for the FortiCloud SSO login feature.
Python
parse SAML responses from a pcap
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-59719 vulnerability anywhere in the article.
-
Daily CyberSecurity
SentinelOne Unmasks Exploitation of FortiGate Appliances as Gateways to Network Takeover
The SentinelOne Digital Forensics & Incident Response (DFIR) team issued a warning: the very appliances designed to protect organizations are being turned against them. Recent investigations revealed ... Read more
-
CybersecurityNews
FortiGate Firewalls Exploited in Wave of Attacks to Breach Networks and Steal Credentials
A series of intrusions in early 2026 in which threat actors compromised FortiGate Next-Generation Firewalls (NGFW) to establish persistent footholds within enterprise environments. Each case was inter ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 11
The Good | Authorities Disrupt Proxy Network and Charge BlackCat Insider, Vendors Patch Critical RCE Bugs U.S. and European law enforcement have dismantled the SocksEscort cybercrime proxy network, wh ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 11
The Good | Authorities Disrupt Proxy Network and Charge BlackCat Insider, Vendors Patch Critical RCE Bugs U.S. and European law enforcement have dismantled the SocksEscort cybercrime proxy network, wh ... Read more
-
The Hacker News
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The ac ... Read more
-
SentinelOne
FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise
Overview Throughout early 2026, SentinelOne’s® Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been ... Read more
-
SentinelOne
FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise
Overview Throughout early 2026, SentinelOne’s® Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been ... Read more
-
Kaspersky
SIEM Rules for detecting exploitation of vulnerabilities in FortiCloud SSO
SIEM Kaspersky SIEM got a set of correlation rules for detecting attempts to exploit vulnerabilities for authentication bypass in Fortinet products. Igor Talankin February 5, 2026 Over the past two mo ... Read more
-
CybersecurityNews
Fortinet Disables FortiCloud SSO Following 0-day Vulnerability Exploited in the Wild
Fortinet temporarily disabled its FortiCloud Single Sign-On (SSO) service after confirming active exploitation of a zero-day authentication bypass vulnerability in multiple products. The issue, tracke ... Read more
-
The Hacker News
Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Fortinet has officially confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. ... Read more
-
CybersecurityNews
Fortinet Confirms Active Exploitation of FortiCloud SSO Authentication Bypass Vulnerability
Fortinet confirms active exploitation of a FortiCloud SSO authentication bypass vulnerability, with a new automated campaign targeting even fully patched FortiGate devices. Cybersecurity firm Arctic W ... Read more
-
Daily CyberSecurity
“New” Path of Attack: Fully Upgraded Fortinet Devices Hit by SSO Exploits
Fortinet is investigating a concerning new wave of attacks targeting its network security devices, where threat actors are successfully compromising systems that have already been fully patched agains ... Read more
-
The Register
FortiGate firewalls hit by silent SSO intrusions and config theft
FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box. That's accordi ... Read more
-
CybersecurityNews
FortiGate Firewalls Hacked in Automated Attacks to Steal Configuration Data
A new cluster of automated malicious activity targeting FortiGate firewall devices. Beginning January 15, 2026, threat actors have been observed executing unauthorized configuration changes, establish ... Read more
-
BleepingComputer
Hackers breach Fortinet FortiGate devices, steal firewall configs
Fortinet FortiGate devices are being targeted in automated attacks that create rogue accounts and steal firewall configuration data, according to cybersecurity company Arctic Wolf. The campaign starte ... Read more
-
The Hacker News
Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations
Cybersecurity company Arctic Wolf has warned of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, i ... Read more
-
Daily CyberSecurity
New Campaign Targets FortiGate Firewalls with Unauthorized Config Changes
A fresh wave of automated cyberattacks is targeting FortiGate firewalls, exploiting unauthorized access to create backdoors and steal sensitive configuration data. Security researchers at Arctic Wolf ... Read more
-
Help Net Security
Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718?
CVE-2025-59718, a critical authentication bypass flaw that attackers exploited in December 2025 to compromise FortiGate appliances, appears to persist in newer, purportedly fixed releases of the under ... Read more
-
europa.eu
Cyber Brief 26-01 - December 2025
Cyber Brief (December 2025)January 5, 2025 - Version: 1TLP:CLEARExecutive summaryWe analysed 368 open source reports for this Cyber Security Brief[^1].Relating to cyber policy and law enforcement, the ... Read more
-
CybersecurityNews
Cybersecurity Weekly Recap – PornHub Breach, Cisco 0-Day, Amazon Detains DPRK IT Worker, and more
In a week that revealed the flaws in digital trust, cybersecurity headlines were filled with high-profile breaches, zero-day exploits, and bold nation-state espionage. Attackers claimed to have swiped ... Read more
The following table lists the changes that have been made to the
CVE-2025-59719 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Dec. 09, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.9 *cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.4 *cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:* Added Reference Type Fortinet, Inc.: https://fortiguard.fortinet.com/psirt/FG-IR-25-647 Types: Vendor Advisory -
New CVE Received by [email protected]
Dec. 09, 2025
Action Type Old Value New Value Added Description An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-347 Added Reference https://fortiguard.fortinet.com/psirt/FG-IR-25-647