CVE-2025-59718

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 7.0.0 through 7.6.3 Fortinet FortiProxy versions 7.0.0 through 7.6.3 Fortinet FortiSwitchManager versions 7.0.0 through 7.2.6 Fortinet FortiWeb (affected versions not specified)

Description A cryptographic signature verification issue exists in Fortinet products, allowing an unauthenticated attacker to bypass FortiCloud SSO login authentication via a crafted SAML response message. This vulnerability is actively exploited, with attackers creating unauthorized administrator accounts and potentially stealing configuration data. Reports indicate that exploitation continues even on systems with applied patches, suggesting a patch bypass. The vulnerability is being exploited by the Mozi botnet and Emotet campaigns. Approximately 200,000 FortiGate 7.x admin GUIs are exposed, with around 7% having FortiCloud SSO enabled for admin login. The exploitation involves sending crafted SAML messages to gain administrative access.

Recommendations Fortinet FortiOS versions prior to 7.7.0: Disable FortiCloud SSO admin login. Fortinet FortiProxy versions prior to 7.7.0: Disable FortiCloud SSO admin login. Fortinet FortiSwitchManager versions prior to 7.3.0: Disable FortiCloud SSO admin login. Fortinet FortiWeb: Restrict admin access. Audit logs for new admin account creation and sudden configuration changes. Rotate administrative credentials. Upgrade firmware when a permanent fix is available.