Aperçu
A critical authentication bypass vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated attackers to bypass FortiCloud SSO login by crafting malicious SAML responses. The vulnerability stems from improper verification of cryptographic signatures in SAML authentication messages. La vulnérabilité a été divulguée le December 9, 2025. CISA a identifié CVE-2025-59718 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability exists in the SAML (Security Assertion Markup Language) authentication implementation of FortiOS, FortiProxy, and FortiSwitchManager. When processing SAML responses from FortiCloud SSO identity providers, the affected products fail to properly verify the cryptographic signatures attached to SAML assertions. An attacker can craft malicious SAML responses without valid signatures or with forged signatures, and the authentication mechanism will accept them as legitimate, allowing unauthorized access to the system.
La vulnérabilité est classifiée comme CWE-347 (Improper Verification of Cryptographic Signature) , CWE-285 (Improper Authorization) etCWE-287 (Improper Authentication) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated attacker can bypass the FortiCloud SSO login mechanism and gain unauthorized administrative or user-level access to FortiOS, FortiProxy, or FortiSwitchManager instances. This could lead to complete compromise of the security appliance, allowing the attacker to modify firewall rules, intercept traffic, exfiltrate data, deploy malware, or pivot to internal networks. The scope is changed because the vulnerability allows unauthorized access beyond the immediate authentication boundary, potentially affecting connected systems and networks protected by the affected device.
Mitigation et contournements
Upgrade to the fixed versions immediately. Fortinet has released security patches for all affected product versions. See vendor advisories for specific version numbers and upgrade procedures. Les versions suivantes incluent les correctifs nécessaires : FortiOS: 7.6.4 and later, 7.4.6 and later (for 7.4.x branch), FortiProxy: 7.6.4 and later, 7.4.6 and later (for 7.4.x branch), FortiSwitchManager: 7.2.7 and later.
Comme contournements temporaires : disable forticloud sso authentication temporarily if not critically needed and switch to local authentication or other authentication methods not affected by this vulnerability.; implement network access controls (firewall rules, network segmentation) to restrict which clients can reach the affected devices, limiting the attack surface., et monitor for suspicious saml authentication attempts and anomalous login patterns in authentication logs..
Recommandation de CISA : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
