CVE-2025-59718
Published: 09 December 2025
Summary
CVE-2025-59718 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Deeper analysis
CVE-2025-59718 is an improper verification of cryptographic signature vulnerability, tracked as CWE-347, that affects multiple Fortinet products including FortiOS versions 7.6.0-7.6.3, 7.4.0-7.4.8, 7.2.0-7.2.11 and 7.0.0-7.0.17, FortiProxy versions 7.6.0-7.6.3, 7.4.0-7.4.10, 7.2.0-7.2.14 and 7.0.0-7.0.21, and FortiSwitchManager versions 7.2.0-7.2.6 and 7.0.0-7.0.5. The flaw permits bypass of FortiCloud SSO login authentication when a crafted SAML response message is presented.
An unauthenticated remote attacker can exploit the issue over the network with low complexity to bypass authentication controls, resulting in full compromise of confidentiality, integrity and availability as reflected in the CVSS 9.8 score.
Fortinet has published advisory FG-IR-25-647 detailing the affected releases, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog. Arctic Wolf has reported observing malicious SSO logins targeting the vulnerability after public disclosure. The associated EPSS score has remained flat at 0.1207 with no material increase from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-202198
Vulnerability details
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through…
more
7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
- CWE(s)
- KEV Date Added
- 16 December 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote bypass of FortiCloud SSO via crafted SAML responses due to improper signature verification, enabling exploitation of public-facing applications/management interfaces (T1190, T1210) and forging SAML tokens (T1606.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the improper cryptographic signature verification flaw in affected Fortinet products, directly eliminating the SAML authentication bypass vulnerability.
Mandates receiving and implementing Fortinet PSIRT advisories and CISA KEV catalog entries for this known exploited vulnerability to enable rapid remediation.
Enforces integrity verification mechanisms for information such as SAML response messages, comprehensively addressing improper cryptographic signature validation.