Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning by adding CVE-2025-59718, a critical vulnerability in Fortinet products, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that the vulnerability is being actively exploited in the wild. The flaw, which has a CVSS score of 9.1, is an improper cryptographic signature verification that allows an unauthenticated attacker to bypass FortiCloud single sign-on (SSO) and gain administrative access to affected devices. Products impacted include FortiOS, FortiProxy, and FortiWeb. Attackers have been observed exploiting this flaw to export device configurations, which can contain sensitive information like hashed credentials. CISA has set a patching deadline of December 23, 2025, for federal agencies and strongly urges all organizations using the affected products to patch immediately or apply the recommended mitigation.

Vulnerability Details

CVE-2025-59718 is an improper verification of a cryptographic signature vulnerability. When FortiCloud SSO is enabled on an affected Fortinet appliance, an unauthenticated remote attacker can send a specially crafted SAML (Security Assertion Markup Language) message to the device. The device fails to properly validate the signature of this message, allowing the attacker to bypass the authentication process and gain administrative access.

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• CVSS Score: 9.1 (Critical)

The attack is particularly dangerous because it requires no authentication and no user interaction, making it easy for attackers to automate and scale. A related vulnerability, CVE-2025-59719, addresses the same underlying issue and is patched concurrently.

Affected Systems

The vulnerability affects multiple Fortinet products where the FortiCloud SSO feature is enabled. It is important to note that while this feature is not enabled by default, it can be automatically activated when an administrator registers a device to FortiCare.

• FortiOS
• FortiProxy
• FortiWeb
• FortiSwitchManager

Organizations must consult the official Fortinet security advisory (FG-IR-25-329) for the specific list of vulnerable versions and apply the appropriate patches.

Exploitation Status

According to CISA and security firm Arctic Wolf, CVE-2025-59718 is under active exploitation. Malicious activity was observed starting on December 12, 2025, just days after Fortinet released the patches. Threat actors are known to be exploiting the vulnerability to gain initial access to target networks. Post-exploitation activity includes exporting the device configuration. This is a significant step, as the configuration file can contain hashed user passwords and other sensitive network information, which attackers can take offline to crack and use for further compromise and lateral movement.

Impact Assessment

A successful exploit of CVE-2025-59718 grants an attacker administrative access to a critical network security appliance. The business impact is severe:

• Full Network Compromise: An attacker with control over a firewall or proxy can monitor, modify, or redirect network traffic, disable security policies, and gain a foothold for deeper network penetration.
• Credential Theft: By exporting the device configuration, attackers can obtain hashed credentials for all local users, potentially leading to the compromise of other systems if password reuse is prevalent.
• Data Exfiltration: The attacker can reconfigure the device to allow exfiltration of sensitive data from the internal network.
• Loss of Trust in Security Infrastructure: A compromise of the primary security appliance undermines the entire security posture of an organization.

Detection Methods

• Log Analysis: Review authentication logs on Fortinet appliances for successful logins via FortiCloud SSO from unexpected or unrecognized IP addresses. According to Arctic Wolf, look for log entries indicating a successful SSO login immediately followed by a configuration backup.
• Vulnerability Scanning: Use vulnerability management tools to scan your environment for affected Fortinet product versions. Ensure your scanner has updated plugins to detect CVE-2025-59718.
• Configuration Review: Check your Fortinet devices to see if the FortiCloud SSO login feature (config system admin/set forticloud-sso-login) is enabled. If it is, the device is potentially vulnerable and should be treated with high priority.

Remediation Steps

1. Patch Immediately: The primary solution is to upgrade to a patched version of the firmware as specified in the Fortinet security advisory. This is the only way to fully remediate the vulnerability. This aligns with D3FEND Software Update (D3-SU).
2. Apply Workaround: If patching is not immediately possible, Fortinet recommends disabling the FortiCloud SSO login feature as a temporary mitigation. This can be done via the CLI with the command:

   config system admin
       edit <admin-user>
           set forticloud-sso-login disable
       next
   end
   

   This is a form of D3FEND Application Configuration Hardening (D3-ACH).
3. Hunt for Compromise: After patching or applying the workaround, review logs for any signs of exploitation that may have occurred before the fix was applied. If suspicious activity is found, assume a breach and initiate your incident response plan.