CVE-2025-59718

Name of the Vulnerable Software and Affected Versions: Fortinet FortiOS versions 7.0.0 through 7.0.17, FortiOS versions 7.2.0 through 7.2.11, FortiOS versions 7.4.0 through 7.4.8, FortiOS versions 7.6.0 through 7.6.3, FortiProxy versions 7.0.0 through 7.0.21, FortiProxy versions 7.2.0 through 7.2.14, FortiProxy versions 7.4.0 through 7.4.10, FortiProxy versions 7.6.0 through 7.6.3, FortiSwitchManager versions 7.0.0 through 7.0.5, FortiSwitchManager versions 7.2.0 through 7.2.6.

Description: A cryptographic signature verification issue exists in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. This allows an unauthenticated attacker to bypass FortiCloud SSO login authentication by sending a crafted SAML message when the feature is enabled. Active exploitation has been observed, with attackers creating admin accounts and stealing configurations even on fully patched systems. Attackers are leveraging this vulnerability to gain unauthorized access, establish persistence, and potentially compromise internal networks. The vulnerability is actively exploited by threat actors, including the Akira ransomware group. Approximately 200,000 FortiGate 7.x admin GUIs are exposed, with around 7% having FortiCloud SSO enabled for admin login.

Recommendations: Disable FortiCloud SSO admin login until a complete fix is available. Restrict administrative access. Monitor logs for suspicious admin account creation and configuration changes. Rotate credentials. Upgrade to a fixed version when available. As a temporary workaround, consider disabling the vulnerable function until a patch is available.