CVE-2025-59718

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 7.0.0 through 7.6.3 Fortinet FortiProxy versions 7.0.0 through 7.6.3 Fortinet FortiSwitchManager versions 7.0.0 through 7.2.6 Fortinet FortiWeb (affected versions not specified)

Description An improper verification of cryptographic signature exists in Fortinet products when using FortiCloud SSO. This allows an unauthenticated, remote attacker to bypass FortiCloud SSO login authentication by sending a crafted SAML response message to the

/remote/saml/login

API endpoint. The

Issuer

element within the SAML response is a key component of the attack. Reports indicate active exploitation of this issue, with at least seven distinct IP addresses observed exploiting honeypots. Approximately 189,212 internet-exposed systems running affected FortiOS versions and 30,044 with FortiCloud SSO enabled have been identified globally.

Recommendations FortiOS versions prior to 7.7.0 FortiProxy versions prior to 7.7.0 FortiSwitchManager versions prior to 7.3.0 Disable FortiCloud SSO authentication as a temporary workaround.