Cyber Resilience

CVE-2025-59719

CriticalEUVD ExploitedUpdated

Published: 09 December 2025

Published
09 December 2025
Modified
09 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59719 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Fortinet Fortiweb. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59719 is an improper verification of cryptographic signature vulnerability, classified under CWE-347, affecting Fortinet FortiWeb versions 8.0.0, 7.6.0 through 7.6.4, and 7.4.0 through 7.4.9. Published on 2025-12-09, the issue enables an unauthenticated attacker to bypass FortiCloud SSO login authentication by submitting a crafted SAML response message that evades signature checks. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, and severe impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely without privileges or user interaction. By crafting a SAML response message that exploits the improper signature verification, the attacker bypasses FortiCloud SSO authentication, gaining unauthorized access to the affected FortiWeb instance.

Mitigation details are provided in the Fortinet PSIRT advisory FG-IR-25-647, available at https://fortiguard.fortinet.com/psirt/FG-IR-25-647.

EU & UK References

Vulnerability details

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote attackers to exploit a public-facing web application (FortiWeb management interface) by crafting a SAML response that bypasses signature verification, granting unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55594Same product: Fortinet Fortiweb
CVE-2025-52970Same product: Fortinet Fortiweb
CVE-2025-64447Same product: Fortinet Fortiweb
CVE-2026-40688Same product: Fortinet Fortiweb
CVE-2025-66178Same product: Fortinet Fortiweb
CVE-2023-42784Same product: Fortinet Fortiweb
CVE-2024-55597Same product: Fortinet Fortiweb
CVE-2024-50567Same product: Fortinet Fortiweb
CVE-2024-50569Same product: Fortinet Fortiweb
CVE-2026-24017Same product: Fortinet Fortiweb

Affected Assets

fortinet
fortiweb
8.0.0 · 7.4.0 — 7.4.9 · 7.6.0 — 7.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-59719 by requiring timely application of Fortinet patches to fix the improper cryptographic signature verification in FortiWeb SAML processing.

prevent

Mandates verification of information integrity using cryptographic signatures, preventing bypass via crafted SAML responses lacking proper validation.

prevent

Implements cryptographic mechanisms to protect authentication data, directly addressing the improper signature verification flaw in FortiCloud SSO SAML responses.

References