CVE-2025-59719
Fortinet FortiWeb Cryptographic Signature Verification Bypass Vulnerability
Description
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
INFO
Published Date :
Dec. 9, 2025, 6:15 p.m.
Last Modified :
Dec. 9, 2025, 7:59 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 6abe59d8-c742-4dff-8ce8-9b0ca1073da8 | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update FortiWeb to a patched version.
- Verify SAML response integrity.
- Ensure proper SSO configuration.
Public PoC/Exploit Available at Github
CVE-2025-59719 has a 4 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-59719.
| URL | Resource |
|---|---|
| https://fortiguard.fortinet.com/psirt/FG-IR-25-647 | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-59719 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-59719
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
PoC para determinar si Fortinet es vulnerable a CVE-2025-59718 / CVE-2025-59719
Python
Fortinet announced two closely related authentication‑bypass vulnerabilities on 9 December 2025. Both flaws involve improper verification of cryptographic signatures (CWE‑347) in the handling of SAML responses for the FortiCloud SSO login feature.
Python
parse SAML responses from a pcap
Python
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-59719 vulnerability anywhere in the article.
-
The Hacker News
Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Fortinet has officially confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. ... Read more
-
CybersecurityNews
Fortinet Confirms Active Exploitation of FortiCloud SSO Authentication Bypass Vulnerability
Fortinet confirms active exploitation of a FortiCloud SSO authentication bypass vulnerability, with a new automated campaign targeting even fully patched FortiGate devices. Cybersecurity firm Arctic W ... Read more
-
Daily CyberSecurity
“New” Path of Attack: Fully Upgraded Fortinet Devices Hit by SSO Exploits
Fortinet is investigating a concerning new wave of attacks targeting its network security devices, where threat actors are successfully compromising systems that have already been fully patched agains ... Read more
-
The Register
FortiGate firewalls hit by silent SSO intrusions and config theft
FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box. That's accordi ... Read more
-
CybersecurityNews
FortiGate Firewalls Hacked in Automated Attacks to Steal Configuration Data
A new cluster of automated malicious activity targeting FortiGate firewall devices. Beginning January 15, 2026, threat actors have been observed executing unauthorized configuration changes, establish ... Read more
-
BleepingComputer
Hackers breach Fortinet FortiGate devices, steal firewall configs
Fortinet FortiGate devices are being targeted in automated attacks that create rogue accounts and steal firewall configuration data, according to cybersecurity company Arctic Wolf. The campaign starte ... Read more
-
The Hacker News
Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations
Cybersecurity company Arctic Wolf has warned of a "new cluster of automated malicious activity" that involves unauthorized firewall configuration changes on Fortinet FortiGate devices. The activity, i ... Read more
-
Daily CyberSecurity
New Campaign Targets FortiGate Firewalls with Unauthorized Config Changes
A fresh wave of automated cyberattacks is targeting FortiGate firewalls, exploiting unauthorized access to create backdoors and steal sensitive configuration data. Security researchers at Arctic Wolf ... Read more
-
Help Net Security
Fully patched FortiGate firewalls are getting compromised via CVE-2025-59718?
CVE-2025-59718, a critical authentication bypass flaw that attackers exploited in December 2025 to compromise FortiGate appliances, appears to persist in newer, purportedly fixed releases of the under ... Read more
-
europa.eu
Cyber Brief 26-01 - December 2025
Cyber Brief (December 2025)January 5, 2025 - Version: 1TLP:CLEARExecutive summaryWe analysed 368 open source reports for this Cyber Security Brief[^1].Relating to cyber policy and law enforcement, the ... Read more
-
CybersecurityNews
Cybersecurity Weekly Recap – PornHub Breach, Cisco 0-Day, Amazon Detains DPRK IT Worker, and more
In a week that revealed the flaws in digital trust, cybersecurity headlines were filled with high-profile breaches, zero-day exploits, and bold nation-state espionage. Attackers claimed to have swiped ... Read more
-
CybersecurityNews
25,000+ FortiCloud SSO-Enabled Devices Exposed to Remote Attacks
Over 25,000 Fortinet devices worldwide with FortiCloud Single Sign-On (SSO) enabled, leaving them potentially exposed to remote attacks. The finding stems from enhanced device fingerprinting in a new ... Read more
-
BleepingComputer
Over 25,000 FortiCloud SSO devices exposed to remote attacks
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability ... Read more
-
security.nl
25.000 Fortinet-apparaten met FortiCloud SSO toegankelijk vanaf internet
Zeker 25.000 Fortinet-apparaten met FortiCloud SSO, waarvan bijna vierhonderd in Nederland, zijn toegankelijk vanaf het internet en lopen daarmee risico om te worden aangevallen, aldus The Shadowserve ... Read more
-
The Hacker News
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
Dec 19, 2025Ravie LakshmananVulnerability / Network Security WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. T ... Read more
-
Help Net Security
Attackers are exploiting auth bypass vulnerability on FortiGate firewalls (CVE-2025-59718)
Attackers are exploiting a recently revealed vulnerability (CVE-2025-59718) to bypass authentication on Fortinet’s FortiGate firewalls, and are leveraging the achieved access to export their system co ... Read more
-
CybersecurityNews
CISA Adds Fortinet Vulnerability to KEV Catalog After Active Exploitation
CISA has officially added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog on December 16, 2025. Designating a critical deadline of December 23, 2025, for organizations to apply nec ... Read more
-
BleepingComputer
Hackers exploit newly patched Fortinet auth bypass flaws
Hackers are exploiting critical-severity vulnerabilities affecting multiple Fortinet products to get unauthorized access to admin accounts and steal system configuration files. The two vulnerabilities ... Read more
-
The Hacker News
Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass
Dec 16, 2025Ravie LakshmananNetwork Security / Vulnerability Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public discl ... Read more
-
security.nl
'Kritieke Fortinet-lekken 3 dagen na bekendmaking misbruikt bij aanvallen'
Twee kritieke kwetsbaarheden in verschillende Fortinet-producten zijn vorige week misbruikt bij aanvallen, drie dagen nadat ze bekend waren gemaakt. Dat meldt securitybedrijf Arctic Wolf. De twee beve ... Read more
The following table lists the changes that have been made to the
CVE-2025-59719 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Dec. 09, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* versions from (including) 7.4.0 up to (including) 7.4.9 *cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* versions from (including) 7.6.0 up to (including) 7.6.4 *cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:* Added Reference Type Fortinet, Inc.: https://fortiguard.fortinet.com/psirt/FG-IR-25-647 Types: Vendor Advisory -
New CVE Received by [email protected]
Dec. 09, 2025
Action Type Old Value New Value Added Description An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-347 Added Reference https://fortiguard.fortinet.com/psirt/FG-IR-25-647