CVE-2025-59718

Name of the Vulnerable Software and Affected Versions FortiOS versions 7.6.0 through 7.6.3 FortiOS versions 7.4.0 through 7.4.8 FortiOS versions 7.2.0 through 7.2.11 FortiOS versions 7.0.0 through 7.0.17 FortiProxy versions 7.6.0 through 7.6.3 FortiProxy versions 7.4.0 through 7.4.10 FortiProxy versions 7.2.0 through 7.2.14 FortiProxy versions 7.0.0 through 7.0.21 FortiSwitchManager versions 7.2.0 through 7.2.6 FortiSwitchManager versions 7.0.0 through 7.0.5 FortiWeb (affected versions not specified)

Description An improper verification of cryptographic signature issue exists in the FortiCloud SSO login authentication mechanism. This allows an unauthenticated remote attacker to bypass authentication by sending a specially crafted SAML (Security Assertion Markup Language) response message, provided the FortiCloud SSO feature is enabled. The feature is disabled by default but may be enabled during device registration to FortiCare.

Real-world exploitation was observed in December 2025 by the Akira ransomware group. Attackers used this bypass to gain initial access to FortiGate appliances, subsequently compromising additional firewalls and moving laterally into internal networks. The attackers targeted high-value systems, including virtualization platforms, domain controllers, and backup infrastructure, utilizing tools such as Mimikatz for credential dumping and PsExec for lateral movement.

Recommendations For FortiOS versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.17: Update to versions 7.6.4, 7.4.9, 7.2.12, and 7.0.18 respectively. For FortiProxy versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, and 7.0.0 through 7.0.21: Update to versions 7.6.4, 7.4.11, 7.2.15, and 7.0.22 respectively. For FortiSwitchManager versions 7.2.0 through 7.2.6 and 7.0.0 through 7.0.5: Update to versions 7.2.7 and 7.0.6 respectively. As a temporary mitigation, disable the FortiCloud login feature by navigating to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off, or by executing the following CLI commands: config system global set admin-forticloud-sso-login disable end