Summary
CVE-2025-59718 is a critical Fortinet FortiCloud SSO flaw that lets attackers gain admin access using crafted SAML messages. Exploitation has been seen in the wild, including rogue admin creation and firewall config theft. Fortinet issued updates and advises disabling FortiCloud SSO until fully patched.
Urgent Actions Required
- Apply the latest Fortinet patches for affected products immediately (FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+; FortiProxy 7.6.4+, 7.4.11+, 7.2.15+, 7.0.22+; FortiSwitchManager 7.2.7+, 7.0.6+; FortiWeb 7.6.5+, 7.4.10+, 8.0.1+).
- Temporarily disable FortiCloud SSO on affected devices.
- Check logs for suspicious SSO activity and unexpected admin accounts.
- Limit management access to trusted networks and reset credentials if needed.
Which Systems Are Vulnerable to CVE-2025-59718?
Technical Overview
- Vulnerability Type: Authentication Bypass via FortiCloud SSO and Malicious SAML Messages
- Affected Software/Versions:
- FortiOS: 7.0.0-7.0.17, 7.2.0-7.2.11, 7.4.0-7.4.8, 7.6.0-7.6.3
- FortiProxy: 7.0.0-7.0.21, 7.2.0-7.2.14, 7.4.0-7.4.10, 7.6.0-7.6.3
- FortiSwitchManager: 7.0.0-7.0.5, 7.2.0-7.2.6
- FortiWeb: 7.4.0-7.4.9, 7.6.0-7.6.4, 8.0.0
- CVSS Vector: v3.1
- Attack Vector: Network (SSO login over Internet-facing devices)
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available [1]
How Does the CVE-2025-59718 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-59718?
Vulnerability Root Cause:
The issue is caused by weak signature checks in FortiCloud SSO. Fortinet devices don’t properly verify SAML responses, so crafted messages can bypass SSO and give attackers admin access without credentials.
How Can You Mitigate CVE-2025-59718?
If immediate patching is delayed or not possible:
- Temporarily disable FortiCloud SSO admin login.
- Limit firewall and VPN access to trusted networks.
- Check logs for unusual SSO logins or new admin accounts.
- Assume credential exposure if compromise indicators are found and reset all affected administrative credentials immediately.
- Monitor for configuration export activity, as attackers have been observed downloading full firewall configurations shortly after gaining access.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- Fortinet devices using FortiCloud SSO: FortiGate, FortiProxy, FortiSwitchManager, FortiWeb
- SAML-based admin login on FortiCloud SSO devices
- Business-Critical Systems at Risk:
- Firewall interfaces – Attackers can get admin access and change settings
- VPN and Remote Access Services – Malicious accounts may be granted VPN access after SSO compromise
- Network Monitoring and SIEM Pipelines – Compromise can occur even when logs are the only early warning signal
- Exposure Level:
- Internet-facing Fortinet Devices – Systems with FortiCloud SSO enabled and reachable from the internet face the highest risk
- Registered FortiCare Devices – FortiCloud SSO-enabled devices are at risk even if SSO isn’t actively used
- Fully Patched Environments – Exploitation has occurred on versions previously believed to be fixed, indicating incomplete earlier mitigations
Will Patching CVE-2025-59718 Cause Downtime?
Patch application impact: Fix the issue by updating Fortinet firmware; a reboot may cause brief, planned downtime.
Mitigation (if immediate patching is not possible): Temporarily disable FortiCloud SSO and limit management access; full protection needs official patches.
How Can You Detect CVE-2025-59718 Exploitation?
- Exploitation Signatures:
- Successful FortiCloud SSO logins from unknown or untrusted public IP addresses
- Administrative access is gained even when FortiCloud SSO is not actively used by the organization
- Indicators of Compromise (IOCs/IOAs):
- New administrator accounts are created shortly after an SSO login (commonly using generic names such as helpdesk or support).
- Logs showing forticloud-sso as the authentication method for admin access.
- System configuration exports occur soon after SSO-based logins.
- Behavioral Indicators:
- Multiple administrative actions executed within seconds of initial access, suggesting automation.
- VPN access granted to newly created local administrator accounts.
- Unexpected changes to firewall or system configurations.
- Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- FortiCloud SSO admin logins from unfamiliar IP addresses
- Creation of new administrator accounts
- Configuration download or export events following SSO authentication
Remediation & Response
- Mitigation Steps if No Patch:
- Disable FortiCloud SSO administrative login on affected devices through system settings or CLI.
- Restrict access to the management interface by applying local-in policies and limiting source IP addresses.
- Prevent direct internet exposure of FortiGate administration panels wherever possible.
- Monitor authentication and system logs for unexpected SSO logins, new admin account creation, and configuration exports.
- Remediation Timeline:
- Immediate: Turn off FortiCloud SSO login and apply access restrictions to the admin interface.
- Short term: Review devices for unauthorized admin users and remove any accounts not explicitly approved.
- Ongoing: Track Fortinet advisories and apply updated firmware releases once officially available.
- Rollback Plan:
- If malicious activity is confirmed, restore firewall configurations from a known clean backup.
- Revert unauthorized changes to firewall, VPN, or system settings made after compromise.
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | High severity, indicating critical impact and exploitability |
| Attack Vector | Network | The vulnerability can be exploited remotely over a network connection |
| Attack Complexity | Low | Exploitation does not depend on special conditions or complex steps |
| Privileges Required | None | No authentication or prior access is needed to carry out the attack |
| User Interaction | None | The exploit does not require any user action to succeed |
| Scope | UnChanged | The impact remains within the affected component and does not extend beyond it |
| Confidentiality Impact | High | Successful exploitation can expose sensitive or protected information |
| Integrity Impact | High | An attacker can alter data or bypass security controls |
| Availability Impact | High | The vulnerability can significantly disrupt or degrade system availability |
