A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
The vulnerability consists of improper verification of cryptographic signature (CWE-347) in the SAML response handled by FortiCloud SSO. An attacker without any credentials can send a crafted SAML response message whose signature is not properly validated by the vulnerable device. As a result, the system accepts the forged response as authentic and grants access, bypassing the entire authentication process.
An unauthenticated remote attacker gains full administrative access to Fortinet devices protected by FortiCloud SSO, which can lead to complete takeover of network infrastructure, including firewalls and proxies.
Apply patches available from the vendor according to references (https://fortiguard.fortinet.com/psirt/FG-IR-25-647). Until updates are deployed, it is recommended to monitor SSO logs for suspicious authentications and consider disabling FortiCloud SSO on publicly exposed devices.
FortiOS 7.6.0–7.6.3, FortiOS 7.4.0–7.4.8, FortiOS 7.2.0–7.2.11, FortiOS 7.0.0–7.0.17; FortiProxy 7.6.0–7.6.3, FortiProxy 7.4.0–7.4.10, FortiProxy 7.2.0–7.2.14, FortiProxy 7.0.0–7.0.21; FortiSwitchManager 7.2.0–7.2.6, FortiSwitchManager 7.0.0–7.0.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet FortiOS
OSFortinet7.6.0 – 7.6.4 (bez)7.4.0 – 7.4.9 (bez)7.0.0 – 7.0.18 (bez)7.2.0 – 7.2.12 (bez)Fortinet Fortiproxy
APPFortinet7.0.0 – 7.0.22 (bez)7.2.0 – 7.2.15 (bez)7.4.0 – 7.4.11 (bez)7.6.0 – 7.6.4 (bez)Fortinet Fortiswitchmanager
APPFortinet7.2.0 – 7.2.7 (bez)7.0.0 – 7.0.6 (bez)Siemens Ruggedcom Ape1808
HWSiemenswszystkie wersjeSiemens Ruggedcom Ape1808 Firmware
OSSiemenswszystkie wersje
CISA KEV — detailsi
- Vendori
- Fortinet ↗
- Producti
- Multiple Products
- Added to KEVi
- December 16, 2025
- Remediation deadline (US Federal)i
- December 23, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.
Related vulnerabilities
Buffer overflow RCE z uprawnieniami root w PAN-OS Captive Portal
Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach
Authentication Bypass w FortiOS i FortiProxy — przejęcie uprawnień super-admin
Krytyczna podatność format string RCE w Fortinet FortiOS, FortiProxy i FortiSwitchManager
Out-of-bounds write w Fortinet FortiOS i FortiProxy — RCE bez uwierzytelnienia