CVE-2025-59718

Name of the Vulnerable Software and Affected Versions FortiOS versions 7.0.0 through 7.0.17 FortiOS versions 7.2.0 through 7.2.11 FortiOS versions 7.4.0 through 7.4.8 FortiOS versions 7.6.0 through 7.6.3 FortiProxy versions 7.0.0 through 7.0.21 FortiProxy versions 7.2.0 through 7.2.14 FortiProxy versions 7.4.0 through 7.4.10 FortiProxy versions 7.6.0 through 7.6.3 FortiSwitchManager versions 7.0.0 through 7.0.5 FortiSwitchManager versions 7.2.0 through 7.2.6 FortiWeb (affected versions not specified)

Description An improper verification of cryptographic signature issue allows an unauthenticated remote attacker to bypass FortiCloud SSO login authentication. This is achieved by sending a crafted SAML response message, granting full administrative access to the device without a password or token. Real-world exploitation has been observed where attackers create unauthorized local admin accounts, enable SSL VPN, and exfiltrate firewall configurations. In some incidents, attackers used tools like Mimikatz for credential harvesting and PsExec or RDP for lateral movement to target domain controllers and backup infrastructure. Reports indicate that some automated attacks have succeeded even on devices previously thought to be patched, suggesting a new attack pathway. Approximately 200,000 FortiGate 7.x admin GUIs are exposed globally, with a significant portion having FortiCloud SSO enabled.

Recommendations For FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb, update to the latest non-affected firmware version. As a temporary workaround, disable the FortiCloud SSO login feature by navigating to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off, or by using the CLI command set admin-forticloud-sso-login disable within the config system global context.