Overview
A critical authentication bypass vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated attackers to bypass FortiCloud SSO login by crafting malicious SAML responses. The vulnerability stems from improper verification of cryptographic signatures in SAML authentication messages. The vulnerability was disclosed on December 9, 2025. CISA has identified CVE-2025-59718 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The vulnerability exists in the SAML (Security Assertion Markup Language) authentication implementation of FortiOS, FortiProxy, and FortiSwitchManager. When processing SAML responses from FortiCloud SSO identity providers, the affected products fail to properly verify the cryptographic signatures attached to SAML assertions. An attacker can craft malicious SAML responses without valid signatures or with forged signatures, and the authentication mechanism will accept them as legitimate, allowing unauthorized access to the system.
The vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature) , CWE-285 (Improper Authorization) andCWE-287 (Improper Authentication) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated attacker can bypass the FortiCloud SSO login mechanism and gain unauthorized administrative or user-level access to FortiOS, FortiProxy, or FortiSwitchManager instances. This could lead to complete compromise of the security appliance, allowing the attacker to modify firewall rules, intercept traffic, exfiltrate data, deploy malware, or pivot to internal networks. The scope is changed because the vulnerability allows unauthorized access beyond the immediate authentication boundary, potentially affecting connected systems and networks protected by the affected device.
Mitigation and workarounds
Upgrade to the fixed versions immediately. Fortinet has released security patches for all affected product versions. See vendor advisories for specific version numbers and upgrade procedures. The following versions include the necessary fixes: FortiOS: 7.6.4 and later, 7.4.6 and later (for 7.4.x branch), FortiProxy: 7.6.4 and later, 7.4.6 and later (for 7.4.x branch), FortiSwitchManager: 7.2.7 and later.
As temporary workarounds: disable forticloud sso authentication temporarily if not critically needed and switch to local authentication or other authentication methods not affected by this vulnerability.; implement network access controls (firewall rules, network segmentation) to restrict which clients can reach the affected devices, limiting the attack surface., and monitor for suspicious saml authentication attempts and anomalous login patterns in authentication logs..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
