CVE-2025-59718

CRITICAL KEV

Fortinet FortiOS/FortiProxy/FortiSwitchManager SAML Signature Verification Bypass

Title source: llm

Exploitation Summary

CVE-2025-59718 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 16, 2025. EIP tracks 3 public exploits from researchers including exfil0, adminlove520, moften.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2025-59718, an authentication bypass vulnerability in Fortinet products due to improper SAML signature verification. The exploit crafts unsigned SAML responses to gain administrative access and includes features for bulk scanning, proxy support, and post-authentication actions.

Description

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Exploits (3)

nomisec WORKING POC 4 stars

by exfil0 · poc

https://github.com/exfil0/CVE-2025-59718-PoC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-59718, an authentication bypass vulnerability in Fortinet products due to improper SAML signature verification. The exploit crafts unsigned SAML responses to gain administrative access and includes features for bulk scanning, proxy support, and post-authentication actions.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiOS, FortiProxy, FortiSwitchManager (versions prior to 7.4.9)

No auth needed

Prerequisites: Network access to target · FortiCloud SSO enabled on target

MITRE ATT&CK

T1556.003 - Pluggable Authentication Modules

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-59718

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-59718, an authentication bypass vulnerability in Fortinet products (FortiOS, FortiProxy, FortiSwitchManager) due to improper SAML signature verification. The exploit crafts unsigned SAML responses to gain administrative access and supports features like multi-threading, proxy usage, and post-authentication actions.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiOS, FortiProxy, FortiSwitchManager (versions prior to 7.4.9)

No auth needed

Prerequisites: FortiCloud SSO enabled on target · network access to target · Python 3.8+ with requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SCANNER 2 stars

by moften · poc

https://github.com/moften/CVE-2025-59718-Fortinet-Poc

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting vulnerabilities CVE-2025-59718 and CVE-2025-59719 in Fortinet devices (FortiOS, FortiProxy, FortiSwitchManager, FortiWeb). It supports passive fingerprinting, active non-destructive tests, and authenticated SSH checks.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiOS, FortiProxy, FortiSwitchManager, FortiWeb

No auth needed

Prerequisites: Network access to target device · Optional SSH credentials for authenticated checks

MITRE ATT&CK

T1592 - Gather Victim Host Information T1087 - Account Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory

https://fortiguard.fortinet.com/psirt/FG-IR-25-647

Third Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-864900.html

Third Party Advisory

https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718

Scores

CVSS v3 9.8

EPSS 0.1207

EPSS Percentile 94.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2025-12-16

VulnCheck KEV 2025-12-15

ENISA EUVD EUVD-2025-202198

CWE

CWE-347

Status published

Products (14)

Fortinet/FortiOS 7.0.0 - 7.0.17

fortinet/fortios 7.0.0 - 7.0.18

Fortinet/FortiOS 7.2.0 - 7.2.11

Fortinet/FortiOS 7.4.0 - 7.4.8

Fortinet/FortiOS 7.6.0 - 7.6.3

Fortinet/FortiProxy 7.0.0 - 7.0.21

fortinet/fortiproxy 7.0.0 - 7.0.22

Fortinet/FortiProxy 7.2.0 - 7.2.14

Fortinet/FortiProxy 7.4.0 - 7.4.10

Fortinet/FortiProxy 7.6.0 - 7.6.3

... and 4 more

Published Dec 09, 2025

KEV Added Dec 16, 2025

Tracked Since Feb 18, 2026