Active Exploitation of Critical Fortinet SAML Authentication Bypass (CVE-2025-59718, CVE-2025-59719)
December 18th, 2025
Critical
Our Cyber Threat Intelligence Unit has identified two critical authentication-bypass vulnerabilities affecting multiple Fortinet products, including FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager. Tracked as CVE-2025-59718 and CVE-2025-59719, these vulnerabilities allow a remote, unauthenticated attacker to bypass FortiCloud Single Sign-On (SSO) authentication by submitting a crafted SAML response. While Fortinet initially disclosed these vulnerabilities on December 9, 2025, security researchers observed malicious SSO login activity beginning on December 12, 2025. Consistent with active exploitation, this activity prompted heightened concern across the security industry. Given the high risk and evidence of malicious use, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) Catalog on December 16, 2025, significantly increasing remediation urgency. Unpatched systems with FortiCloud SSO enabled are being actively targeted by threat actors seeking complete administrative control of exposed Fortinet management interfaces.
Technical Details
CVE IDs:
CVE-2025-59718: FortiOS, FortiProxy, FortiSwitchManager.
CVE-2025-59719: FortiWeb.
Severity: Critical (CVSS 9.8)
Vulnerability Type: Improper verification of cryptographic signatures (CWE-347).
Attack Vector: Authentication bypass via crafted SAML response message.
Exploitation Prerequisites:
FortiCloud SSO login must be enabled on the device.
No authentication or prior access is required.
Affected Versions and Fixes:
FortiOS:
FortiOS 7.6: Versions 7.6.0–7.6.3 → Upgrade to 7.6.4 or later.
FortiOS 7.4: Versions 7.4.0–7.4.8 → Upgrade to 7.4.9 or later.
FortiOS 7.2: Versions 7.2.0–7.2.11 → Upgrade to 7.2.12 or later.
FortiOS 7.0: Versions 7.0.0–7.0.17 → Upgrade to 7.0.18 or later.
FortiProxy:
FortiProxy 7.6: Versions 7.6.0–7.6.3 → Upgrade to 7.6.4 or later.
FortiProxy 7.4: Versions 7.4.0–7.4.10 → Upgrade to 7.4.11 or later.
FortiProxy 7.2: Versions 7.2.0–7.2.14 → Upgrade to 7.2.15 or later.
FortiProxy 7.0: Versions 7.0.0–7.0.21 → Upgrade to 7.0.22 or later.
FortiSwitchManager:
FortiSwitchManager 7.2: Versions 7.2.0–7.2.6 → Upgrade to 7.2.7 or later.
FortiSwitchManager 7.0: Versions 7.0.0–7.0.5 → Upgrade to 7.0.6 or later.
FortiWeb:
FortiWeb 8.0: Version 8.0.0 → Upgrade to 8.0.1 or later.
FortiWeb 7.6: Versions 7.6.0–7.6.4 → Upgrade to 7.6.5 or later.
FortiWeb 7.4: Versions 7.4.0–7.4.9 → Upgrade to 7.4.10 or later.
Exposure Note: FortiCloud SSO is disabled by default, but may become enabled during device registration unless administrators explicitly disable the “Allow administrative login using FortiCloud SSO” option.
Impact
Unauthorized Administrative Takeover: Successful exploitation grants complete administrative access to the device management plane without the need for valid credentials or multi-factor authentication (MFA).
Data and Credential Exfiltration: Observed threat actor behavior includes the immediate export of device configuration files via the GUI.
These files contain hashed credentials, network topology, and security policies, which may be used for offline password cracking and further network infiltration.
Infrastructure & Lateral Risk: Compromised gateways serve as an ideal pivot point for lateral movement.
Attackers have been observed using hosting providers (such as The Constant Company and Kaopu Cloud) to mask their origin while probing for vulnerable interfaces.
Persistence & Configuration Tampering: Once authenticated as an administrator, attackers can create rogue accounts, modify firewall rules to allow permanent backdoors, or disable security logging to mask future activity.
Widespread Exposure: Affects widely deployed Fortinet products across enterprise and service-provider environments.
Detection Method
Asset Inventory & Version Validation: Identify Fortinet devices running vulnerable versions of FortiOS, FortiProxy, FortiWeb, or FortiSwitchManager.
FortiCloud SSO Configuration Review: Confirm whether FortiCloud SSO login is enabled on management interfaces.
Authentication Log Monitoring: Monitor for unexpected or anomalous administrative logins via FortiCloud SSO.
Configuration Integrity Checks: Review recent configuration changes, new admin accounts, or policy modifications following SSO activity.
Management Plane Exposure: Identify devices with management interfaces exposed to untrusted or external networks.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Apply Vendor Patches Immediately: Upgrade to Fortinet’s fixed versions listed in our Technical Details section above.
Disable FortiCloud SSO Until Patched: Temporarily disable FortiCloud SSO login on all affected devices if patching cannot be performed immediately.
Restrict Administrative Access: Limit management interface access to trusted internal IP ranges.
Enable Enhanced Logging: Ensure administrative login and configuration-change events are fully logged and retained.
Conduct Post-Patch Audits: Validate device configurations and confirm no unauthorized access occurred prior to remediation.
Network Segmentation: Isolate management planes from production traffic where possible.
Patch Note: If organizations are unable to patch immediately, the following CLI command can be used on FortiOS devices to disable the vulnerable feature immediately:
config system global
set admin-forticloud-sso-login disable
end
Conclusion
CVE-2025-59718 and CVE-2025-59719 are critical authentication-bypass vulnerabilities in Fortinet management interfaces that allow unauthenticated attackers to obtain administrative access via crafted SAML responses when FortiCloud SSO is enabled. Given the critical severity, remote exploitability, and administrative impact, we urge organizations to immediately apply Fortinet’s patches or disable FortiCloud SSO until remediation is complete. Proactive monitoring of authentication activity and management-plane exposure is essential to reduce the risk of compromise.