CVE-2025-59718

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 7.0.0 through 7.6.3 Fortinet FortiProxy versions 7.0.0 through 7.6.3 Fortinet FortiSwitchManager versions 7.0.0 through 7.2.6 Fortinet FortiWeb (affected versions not specified)

Description A cryptographic signature verification issue exists in Fortinet products, allowing an unauthenticated attacker to bypass FortiCloud SSO login authentication via a crafted SAML response message. This vulnerability is actively exploited, with attackers creating unauthorized admin accounts and stealing configurations, even on fully patched systems. Automated attacks are observed, and the vulnerability persists despite previous patches. The exploitation of this flaw can lead to full administrative access, VPN access, and the exfiltration of sensitive data. Approximately 200,000 FortiGate 7.x admin GUIs are exposed, with around 7% having FortiCloud SSO enabled for admin login. The vulnerability is being exploited by the Mozi botnet and Emotet campaigns. The API endpoint used for authentication is not explicitly mentioned.

Recommendations Fortinet FortiOS versions prior to 7.7.0: Disable FortiCloud SSO admin login. Fortinet FortiProxy versions prior to 7.7.0: Disable FortiCloud SSO admin login. Fortinet FortiSwitchManager versions prior to 7.3.0: Disable FortiCloud SSO admin login. Restrict administrative access to the affected devices. Audit logs for new admin account creation and unusual configuration changes. Rotate administrative credentials. Disable the vulnerable FortiCloud SSO feature if possible.