CVE-2025-59718

CriticalCISA KEVActive Exploitation

Published: 09 December 2025

Published

09 December 2025

Modified

17 December 2025

KEV Added

16 December 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0818 92.3th percentile

Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59718 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the improper cryptographic signature verification flaw in affected Fortinet products, directly eliminating the SAML authentication bypass vulnerability.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Mandates receiving and implementing Fortinet PSIRT advisories and CISA KEV catalog entries for this known exploited vulnerability to enable rapid remediation.

SI-7 Software, Firmware, and Information Integrity good match

prevent

Enforces integrity verification mechanisms for information such as SAML response messages, comprehensively addressing improper cryptographic signature validation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1606.002 SAML Tokens Credential Access

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote bypass of FortiCloud SSO via crafted SAML responses due to improper signature verification, enabling exploitation of public-facing applications/management interfaces (T1190, T1210) and forging SAML tokens (T1606.002).

NVD Description

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through…

7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Deeper analysisAI

CVE-2025-59718 is an improper verification of cryptographic signature vulnerability, classified under CWE-347, affecting multiple Fortinet products. It impacts FortiOS versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.17; FortiProxy versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, and 7.0.0 through 7.0.21; FortiSwitchManager versions 7.2.0 through 7.2.6 and 7.0.0 through 7.0.5. The flaw enables an unauthenticated attacker to bypass FortiCloud SSO login authentication by sending a crafted SAML response message. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation allows bypassing authentication controls, potentially granting unauthorized access to the affected Fortinet devices and enabling high-impact compromises of confidentiality, integrity, and availability.

Fortinet's PSIRT advisory (FG-IR-25-647) details patching and mitigation steps for affected versions. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

Arctic Wolf has reported observing malicious SSO logins following disclosure of CVE-2025-59718 and CVE-2025-59719, indicating real-world exploitation activity.

Details

CWE(s): CWE-347
KEV Date Added: 16 December 2025

Affected Products

fortinet

fortiproxy

7.0.0 — 7.0.22 · 7.2.0 — 7.2.15 · 7.4.0 — 7.4.11

fortinet

fortiswitchmanager

7.0.0 — 7.0.6 · 7.2.0 — 7.2.7

fortinet

fortios

7.0.0 — 7.0.18 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.9

CVEs Like This One

CVE-2024-55591Same product: Fortinet Fortiosboth on KEV

CVE-2025-24472Same product: Fortinet Fortiosboth on KEV

CVE-2024-26009Same product: Fortinet Fortios

CVE-2024-26006Same product: Fortinet Fortios

CVE-2025-25249Same product: Fortinet Fortios

CVE-2026-24858Same product: Fortinet Fortiosboth on KEV

CVE-2025-53847Same product: Fortinet Fortios

CVE-2024-35279Same product: Fortinet Fortios

CVE-2024-45324Same product: Fortinet Fortios

CVE-2026-22153Same product: Fortinet Fortios

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-647
Vendor Advisory · psirt@fortinet.com
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0