CVE-2025-59718

|
CVE-2025-59718 vulnerability security critical severity Fortinet FortiProxy FortiSwitchManager SAML SSO Bypass authentication bypass CVE database

Summary

CVE-2025-59718 is a critical vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This improper verification of cryptographic signature flaw allows an unauthenticated attacker to bypass FortiCloud SSO login authentication by crafting a malicious SAML response message, potentially granting unauthorized access to sensitive systems.

Technical Details

CVE-2025-59718 stems from a failure to properly validate the cryptographic signature of SAML (Security Assertion Markup Language) responses used for FortiCloud Single Sign-On (SSO) authentication. An attacker can exploit this by crafting a malicious SAML response that appears legitimate to the affected Fortinet devices. This crafted response bypasses the intended authentication checks, allowing the attacker to impersonate a valid user and gain unauthorized access to resources protected by FortiCloud SSO.

The vulnerability lies in the inadequate implementation of signature verification within the SAML processing logic. Specifically, the affected products do not sufficiently verify the integrity and authenticity of the SAML assertion's signature, making them susceptible to signature forgery or manipulation. This allows an attacker to inject arbitrary claims into the SAML response, effectively hijacking the authentication process.

The attack involves intercepting or crafting a SAML response and modifying it to include the attacker's desired user identity or privileges. The attacker then presents this modified SAML response to the Fortinet device, which, due to the flawed signature verification, accepts it as valid. This grants the attacker access to the system as the impersonated user, bypassing the intended security controls.

Affected Products and Versions

  • Fortinet FortiOS 7.6.0 through 7.6.3
  • Fortinet FortiOS 7.4.0 through 7.4.8
  • Fortinet FortiOS 7.2.0 through 7.2.11
  • Fortinet FortiOS 7.0.0 through 7.0.17
  • Fortinet FortiProxy 7.6.0 through 7.6.3
  • Fortinet FortiProxy 7.4.0 through 7.4.10
  • Fortinet FortiProxy 7.2.0 through 7.2.14
  • Fortinet FortiProxy 7.0.0 through 7.0.21
  • Fortinet FortiSwitchManager 7.2.0 through 7.2.6
  • Fortinet FortiSwitchManager 7.0.0 through 7.0.5

Impact Assessment

Successful exploitation of CVE-2025-59718 can have severe consequences, potentially leading to complete system compromise and unauthorized access to sensitive data.

  • Data Breach Risk: Attackers can gain access to confidential data stored within the affected systems, leading to data breaches and potential regulatory violations.
  • System Compromise: Unauthorized access can allow attackers to modify system configurations, install malware, or disrupt critical services, leading to system instability and downtime.
  • Lateral Movement: Once inside the network, attackers can use the compromised system as a springboard to access other internal resources and escalate their privileges.
  • Reputational Damage: A successful attack can damage the organization's reputation and erode customer trust.

Remediation

Immediate Actions

  • Apply Patches: Immediately apply the security patches released by Fortinet to address CVE-2025-59718. Refer to the Fortinet advisory for specific patch versions.
  • Review Access Logs: Monitor access logs for suspicious activity and unauthorized login attempts. Investigate any anomalies promptly.
  • Enable Multi-Factor Authentication (MFA): Implement MFA for all user accounts to add an extra layer of security and prevent unauthorized access even if the SAML signature is bypassed.

Long-term Solutions

  • Implement Robust SAML Validation: Ensure that SAML signature verification is implemented correctly and thoroughly across all systems.
  • Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities in the authentication and authorization mechanisms.
  • Stay Updated: Keep all software and firmware up to date with the latest security patches to mitigate known vulnerabilities.

References

Detection & Scanning

Detecting CVE-2025-59718 requires careful monitoring of network traffic and system logs for suspicious SAML activity. Look for unusual patterns in SAML responses, such as unexpected user identities or privilege escalations. Security Information and Event Management (SIEM) systems can be configured to alert on these anomalies.

Vulnerability scanners can also be used to identify vulnerable Fortinet devices within the network. Ensure that the scanner is up to date with the latest vulnerability definitions to accurately detect CVE-2025-59718.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan