CVE-2025-59718

What is Fortinet FortiOS?

Fortinet FortiOS is the operating system powering Fortinet's network security appliances, including FortiGate firewalls. FortiGate firewalls are deployed at the perimeter of enterprise and government networks to provide firewall, VPN, IPS, and unified threat management services. FortiCloud SSO is a single sign-on feature that allows administrators to authenticate to FortiGate and other Fortinet appliances using their FortiCloud account credentials via SAML. This feature is automatically enabled when a device is registered with FortiCare — meaning many production deployments have it active without explicit configuration.

Overview

CVE-2025-59718 (paired with CVE-2025-59719 in the same advisory) is a critical improper verification of cryptographic signature vulnerability (CWE-347) in the FortiCloud SSO SAML authentication flow across FortiOS, FortiProxy, FortiWeb, and FortiSwitchMaster. By sending a crafted SAML response with an invalid or forged signature to the /remote/saml/login endpoint, an unauthenticated attacker bypasses authentication and gains administrative access to the Fortinet appliance. Active exploitation was observed just 3 days after Fortinet's disclosure, and a bypass of the initial patch was discovered in January 2026 — meaning even some patched devices were subsequently compromised.

Affected Versions

Important: A patch bypass was subsequently discovered in FortiOS 7.4.9 in January 2026. Fortinet was preparing 7.4.11, 7.6.6, and 8.0 as full remediation. Consult the latest Fortinet advisory for current fixed versions.

Attack surface note: FortiCloud SSO is automatically enabled upon FortiCare registration — devices may be vulnerable without the administrator having explicitly configured SSO.

Technical Details

The vulnerability (CWE-347: Improper Verification of Cryptographic Signature) is in the FortiCloud SSO SAML flow. SAML authentication uses XML-signed assertions: the identity provider (FortiCloud) signs an XML assertion, and the service provider (FortiOS) verifies the signature before granting access. The flaw is in FortiOS's SAML signature validation logic: it accepts a crafted SAMLResponse at /remote/saml/login without properly verifying the XML digital signature, treating an unsigned or maliciously signed assertion as legitimate. An attacker can construct a SAML assertion claiming administrator identity and submit it without a valid signature — the device accepts it and grants full administrative access.

Because FortiCloud SSO is automatically activated on FortiCare registration, many appliances have this attack surface exposed without explicit administrator intent.

Discovery

Not publicly attributed to a specific external researcher. Arctic Wolf observed and reported active malicious logins on 12 December 2025.

Exploitation Context

Arctic Wolf observed active malicious FortiCloud SSO logins on FortiGate devices on 12 December 2025 — just three days after Fortinet's advisory — indicating extremely rapid weaponization. CISA added CVE-2025-59718 to the KEV catalog on 16 December 2025 with a 7-day federal remediation deadline (23 December), reflecting the urgency. In January 2026, a patch bypass was confirmed: FortiGate appliances running FortiOS 7.4.9 (the initially released fix) were found compromised, indicating attacker tooling evolved beyond the initial fix. No specific threat actor group has been publicly attributed.

Remediation

1. Upgrade to the latest fixed FortiOS version per FG-IR-25-647 — as of January 2026, verify which versions contain the complete fix (not just the initial 7.4.9 release, which had a bypass). Consult the current Fortinet advisory.
2. Immediately check if FortiCloud SSO is enabled: Admin Console → System → SSO/Identity → check if FortiCloud SSO is active. Disable it if not required for your environment.
3. Review admin access logs for unusual SSO authentication events — particularly any authentication from unexpected IP addresses or geographic locations.
4. Rotate all administrative credentials if compromise is suspected.
5. Restrict admin interface access: apply firewall rules to limit HTTPS management access to the FortiGate admin interface to trusted IP ranges only. Disabling internet-reachable management access eliminates this attack vector entirely.
6. Subscribe to Fortinet PSIRT advisories and re-verify your patch status — given the bypass discovery, additional updates may be required.