Cyber Resilience

CVE-2025-59718

CriticalCISA KEVActive ExploitationEUVD ExploitedUpdated

Published: 09 December 2025

Published
09 December 2025
Modified
09 June 2026
KEV Added
16 December 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1207 94.0th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59718 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Deeper analysis

CVE-2025-59718 is an improper verification of cryptographic signature vulnerability, tracked as CWE-347, that affects multiple Fortinet products including FortiOS versions 7.6.0-7.6.3, 7.4.0-7.4.8, 7.2.0-7.2.11 and 7.0.0-7.0.17, FortiProxy versions 7.6.0-7.6.3, 7.4.0-7.4.10, 7.2.0-7.2.14 and 7.0.0-7.0.21, and FortiSwitchManager versions 7.2.0-7.2.6 and 7.0.0-7.0.5. The flaw permits bypass of FortiCloud SSO login authentication when a crafted SAML response message is presented.

An unauthenticated remote attacker can exploit the issue over the network with low complexity to bypass authentication controls, resulting in full compromise of confidentiality, integrity and availability as reflected in the CVSS 9.8 score.

Fortinet has published advisory FG-IR-25-647 detailing the affected releases, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog. Arctic Wolf has reported observing malicious SSO logins targeting the vulnerability after public disclosure. The associated EPSS score has remained flat at 0.1207 with no material increase from a lower baseline.

EU & UK References

Vulnerability details

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through…

more

7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

CWE(s)
KEV Date Added
16 December 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Why these techniques?

The vulnerability allows unauthenticated remote bypass of FortiCloud SSO via crafted SAML responses due to improper signature verification, enabling exploitation of public-facing applications/management interfaces (T1190, T1210) and forging SAML tokens (T1606.002).

CVEs Like This One

CVE-2025-24472Same product: Fortinet Fortiosboth on KEV
CVE-2024-55591Same product: Fortinet Fortiosboth on KEV
CVE-2024-26009Same product: Fortinet Fortios
CVE-2024-26006Same product: Fortinet Fortios
CVE-2025-25249Same product: Fortinet Fortios
CVE-2026-24858Same product: Fortinet Fortiosboth on KEV
CVE-2024-45324Same product: Fortinet Fortios
CVE-2024-35279Same product: Fortinet Fortios
CVE-2025-53847Same product: Fortinet Fortios
CVE-2026-22153Same product: Fortinet Fortios

Affected Assets

fortinet
fortiproxy
7.0.0 — 7.0.22 · 7.2.0 — 7.2.15 · 7.4.0 — 7.4.11
fortinet
fortiswitchmanager
7.0.0 — 7.0.6 · 7.2.0 — 7.2.7
fortinet
fortios
7.0.0 — 7.0.18 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.9
siemens
ruggedcom ape1808 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the improper cryptographic signature verification flaw in affected Fortinet products, directly eliminating the SAML authentication bypass vulnerability.

prevent

Mandates receiving and implementing Fortinet PSIRT advisories and CISA KEV catalog entries for this known exploited vulnerability to enable rapid remediation.

prevent

Enforces integrity verification mechanisms for information such as SAML response messages, comprehensively addressing improper cryptographic signature validation.

References