Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-59718

Published 2025-12-09
Updated 5 months ago
Vendor/s
Fortinet
Product/s
Multiple Products
Version/s
7.0.0 > 7.0.22
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
9.8
/ 10
Critical
Severity Details
Base score
9.8 Critical
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-59718 is a critical CVSS 9.8 authentication bypass in Fortinet FortiOS and FortiProxy. Patch immediately as it is actively exploited in the wild.

CPE

Fortinet logo
Fortinet
Product Version Start Version End (excl.) Status
fortiproxy 7.0.0 7.0.22 vulnerable
fortiproxy 7.2.0 7.2.15 vulnerable
fortiproxy 7.4.0 7.4.11 vulnerable
fortiproxy 7.6.0 7.6.4 vulnerable
fortiswitchmanager 7.0.0 7.0.6 vulnerable
fortiswitchmanager 7.2.0 7.2.7 vulnerable
fortios 7.0.0 7.0.18 vulnerable
fortios 7.2.0 7.2.12 vulnerable
fortios 7.4.0 7.4.9 vulnerable
fortios 7.6.0 7.6.4 vulnerable

Related weakness (CWE)

CWE-347

Remediation plan

1

Apply official patches

Consult the FortiGuard PSIRT advisory FG-IR-25-647 and apply the recommended firmware updates for FortiOS, FortiProxy, and FortiSwitchManager to resolve the SAML signature verification issue.

2

Update affected systems

Upgrade to the following versions or higher: FortiOS 7.0.18, 7.2.12, 7.4.9, or 7.6.4; FortiProxy 7.0.22, 7.2.15, 7.4.11, or 7.6.4; and FortiSwitchManager 7.0.6 or 7.2.7.

3

Restrict access

Disable FortiCloud SSO if it is not business-critical, or implement strict firewall policies and Access Control Lists (ACLs) to ensure only trusted IP addresses can reach the management interface and SAML endpoints.

4

Monitor for exploitation

Review system and authentication logs for anomalous SAML login events, specifically successful SSO authentications originating from unexpected geographic locations or unrecognized IP addresses.

Detection Guidance

Security teams should monitor Fortinet logs for SAML authentication events and cross-reference them with authorized IP addresses. Look for log entries indicating successful logins where the source identity provider metadata appears inconsistent. Inspect network traffic for malformed SAML response payloads targeting administrative interfaces. Additionally, check for unauthorized configuration changes or new administrative accounts created following suspicious SSO login events, as these are common post-exploitation indicators for this specific vulnerability.

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-647 Vendor Advisory https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/ Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial