CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-59718

CVSS 9.8v3.1pub. 2025-12-09upd. 2026-06-09

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

🤖 AI Analysis
How it works

The vulnerability consists of improper verification of cryptographic signature (CWE-347) in the SAML response handled by FortiCloud SSO. An attacker without any credentials can send a crafted SAML response message whose signature is not properly validated by the vulnerable device. As a result, the system accepts the forged response as authentic and grants access, bypassing the entire authentication process.

Impact

An unauthenticated remote attacker gains full administrative access to Fortinet devices protected by FortiCloud SSO, which can lead to complete takeover of network infrastructure, including firewalls and proxies.

Mitigation & patch

Apply patches available from the vendor according to references (https://fortiguard.fortinet.com/psirt/FG-IR-25-647). Until updates are deployed, it is recommended to monitor SSO logs for suspicious authentications and consider disabling FortiCloud SSO on publicly exposed devices.

Who is affected

FortiOS 7.6.0–7.6.3, FortiOS 7.4.0–7.4.8, FortiOS 7.2.0–7.2.11, FortiOS 7.0.0–7.0.17; FortiProxy 7.6.0–7.6.3, FortiProxy 7.4.0–7.4.10, FortiProxy 7.2.0–7.2.14, FortiProxy 7.0.0–7.0.21; FortiSwitchManager 7.2.0–7.2.6, FortiSwitchManager 7.0.0–7.0.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fortinet FortiOS

    OS
    Fortinet
    7.6.0 – 7.6.4 (bez)7.4.0 – 7.4.9 (bez)7.0.0 – 7.0.18 (bez)7.2.0 – 7.2.12 (bez)
  • Fortinet Fortiproxy

    APP
    Fortinet
    7.0.0 – 7.0.22 (bez)7.2.0 – 7.2.15 (bez)7.4.0 – 7.4.11 (bez)7.6.0 – 7.6.4 (bez)
  • Fortinet Fortiswitchmanager

    APP
    Fortinet
    7.2.0 – 7.2.7 (bez)7.0.0 – 7.0.6 (bez)
  • Siemens Ruggedcom Ape1808

    HW
    Siemens
    wszystkie wersje
  • Siemens Ruggedcom Ape1808 Firmware

    OS
    Siemens
    wszystkie wersje

CISA KEV — detailsi

Vendori
Fortinet
Producti
Multiple Products
Added to KEVi
December 16, 2025
Remediation deadline (US Federal)i
December 23, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 23 grudnia 2025
Tags
Auth BypassFirewall
CWE
References

Related vulnerabilities

CVE-2026-0300CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Buffer overflow RCE z uprawnieniami root w PAN-OS Captive Portal

CVE-2026-24858CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach

CVE-2024-55591CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Authentication Bypass w FortiOS i FortiProxy — przejęcie uprawnień super-admin

CVE-2024-23113CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Krytyczna podatność format string RCE w Fortinet FortiOS, FortiProxy i FortiSwitchManager

CVE-2024-21762CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Out-of-bounds write w Fortinet FortiOS i FortiProxy — RCE bez uwierzytelnienia