CISA Adds Actively Exploited Fortinet SSO Flaw to KEV Catalog, Urges Immediate Patching

CISA Warns of Active Exploitation of Critical Fortinet SSO Bypass Vulnerability (CVE-2025-59718)

CRITICAL
December 17, 2025
December 24, 2025
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities(initial)

Organizations

CISA Fortinet Arctic Wolf

Products & Tech

FortiOSFortiProxyFortiWebFortiSwitchMasterSAML

CVE Identifiers

CVE-2025-59718
CRITICAL
CVSS:9.1
CVEDetails.com CVE.org
CVE-2025-59719
CRITICAL
CVSS:9.1
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1133Initial Access

External Remote Services

T1659Initial Access

Content Injection

T1003Credential Access

OS Credential Dumping

Full Report(when first published)

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning by adding CVE-2025-59718, a critical vulnerability in Fortinet products, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that the vulnerability is being actively exploited in the wild. The flaw, which has a CVSS score of 9.1, is an improper cryptographic signature verification that allows an unauthenticated attacker to bypass FortiCloud single sign-on (SSO) and gain administrative access to affected devices. Products impacted include FortiOS, FortiProxy, and FortiWeb. Attackers have been observed exploiting this flaw to export device configurations, which can contain sensitive information like hashed credentials. CISA has set a patching deadline of December 23, 2025, for federal agencies and strongly urges all organizations using the affected products to patch immediately or apply the recommended mitigation.

Vulnerability Details

CVE-2025-59718 is an improper verification of a cryptographic signature vulnerability. When FortiCloud SSO is enabled on an affected Fortinet appliance, an unauthenticated remote attacker can send a specially crafted SAML (Security Assertion Markup Language) message to the device. The device fails to properly validate the signature of this message, allowing the attacker to bypass the authentication process and gain administrative access.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • CVSS Score: 9.1 (Critical)

The attack is particularly dangerous because it requires no authentication and no user interaction, making it easy for attackers to automate and scale. A related vulnerability, CVE-2025-59719, addresses the same underlying issue and is patched concurrently.

Affected Systems

The vulnerability affects multiple Fortinet products where the FortiCloud SSO feature is enabled. It is important to note that while this feature is not enabled by default, it can be automatically activated when an administrator registers a device to FortiCare.

  • FortiOS
  • FortiProxy
  • FortiWeb
  • FortiSwitchManager

Organizations must consult the official Fortinet security advisory (FG-IR-25-329) for the specific list of vulnerable versions and apply the appropriate patches.

Exploitation Status

According to CISA and security firm Arctic Wolf, CVE-2025-59718 is under active exploitation. Malicious activity was observed starting on December 12, 2025, just days after Fortinet released the patches. Threat actors are known to be exploiting the vulnerability to gain initial access to target networks. Post-exploitation activity includes exporting the device configuration. This is a significant step, as the configuration file can contain hashed user passwords and other sensitive network information, which attackers can take offline to crack and use for further compromise and lateral movement.

Impact Assessment

A successful exploit of CVE-2025-59718 grants an attacker administrative access to a critical network security appliance. The business impact is severe:

  • Full Network Compromise: An attacker with control over a firewall or proxy can monitor, modify, or redirect network traffic, disable security policies, and gain a foothold for deeper network penetration.
  • Credential Theft: By exporting the device configuration, attackers can obtain hashed credentials for all local users, potentially leading to the compromise of other systems if password reuse is prevalent.
  • Data Exfiltration: The attacker can reconfigure the device to allow exfiltration of sensitive data from the internal network.
  • Loss of Trust in Security Infrastructure: A compromise of the primary security appliance undermines the entire security posture of an organization.

Detection Methods

  • Log Analysis: Review authentication logs on Fortinet appliances for successful logins via FortiCloud SSO from unexpected or unrecognized IP addresses. According to Arctic Wolf, look for log entries indicating a successful SSO login immediately followed by a configuration backup.
  • Vulnerability Scanning: Use vulnerability management tools to scan your environment for affected Fortinet product versions. Ensure your scanner has updated plugins to detect CVE-2025-59718.
  • Configuration Review: Check your Fortinet devices to see if the FortiCloud SSO login feature (config system admin/set forticloud-sso-login) is enabled. If it is, the device is potentially vulnerable and should be treated with high priority.

Remediation Steps

  1. Patch Immediately: The primary solution is to upgrade to a patched version of the firmware as specified in the Fortinet security advisory. This is the only way to fully remediate the vulnerability. This aligns with D3FEND Software Update (D3-SU).
  2. Apply Workaround: If patching is not immediately possible, Fortinet recommends disabling the FortiCloud SSO login feature as a temporary mitigation. This can be done via the CLI with the command:
    config system admin
    edit <admin-user>
        set forticloud-sso-login disable
    next
end
    This is a form of D3FEND Application Configuration Hardening (D3-ACH).
  3. Hunt for Compromise: After patching or applying the workaround, review logs for any signs of exploitation that may have occurred before the fix was applied. If suspicious activity is found, assume a breach and initiate your incident response plan.

Timeline of Events

1
December 12, 2025
Arctic Wolf observes active exploitation of CVE-2025-59718 begins.
2
December 16, 2025
CISA adds CVE-2025-59718 to the Known Exploited Vulnerabilities (KEV) catalog.
3
December 17, 2025
This article was published
4
December 23, 2025
CISA's deadline for U.S. federal agencies to patch the vulnerability.

Article Updates

December 21, 2025

Fortinet SSO flaws (CVE-2025-59718, CVE-2025-59719) now rated CVSS 9.8, allowing full auth bypass. International agencies, including Australia and Pakistan, issue urgent patching alerts.

Update Sources:
lcci.com.pkDangerous Security Flaws Could Allow Hackers to Hijack These Systems Without a Password
leansecurity.com.auCritical Australian Cyber Threats: React2Shell RCE, Healthcare Ransomware & Data Breaches

December 24, 2025

New technical analysis, MITRE ATT&CK mappings, and detailed cyber observables for detection of CVE-2025-59718 provided, following the federal agency patch deadline.

Update Sources:
sans.orgOne-Week KEV Patch Deadline for Exploited Flaws in Cisco AsyncOS, SonicWall SMA 100, and Fortinet FortiCloud
cisa.govKnown Exploited Vulnerabilities Catalog

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the vendor-supplied patches is the most effective way to remediate the vulnerability.

Mapped D3FEND Techniques:

D3-SU

Disable or Remove Feature or Program

M1042enterprise

Disabling the vulnerable FortiCloud SSO feature serves as a critical workaround if patching is not immediately feasible.

Mapped D3FEND Techniques:

D3-ACHD3-EDLD3-SCF

Audit

M1047enterprise

Regularly auditing device logs for anomalous authentication events is crucial for detecting exploitation.

Mapped D3FEND Techniques:

D3-DAMD3-LAMD3-SFA

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

Given that CVE-2025-59718 is under active exploitation and listed in the CISA KEV catalog, the highest priority action is to apply the patches provided by Fortinet immediately. This is an emergency change. Organizations should use their asset management and vulnerability scanning tools to identify all affected Fortinet appliances (FortiOS, FortiProxy, FortiWeb) in their environment. Prioritize patching for internet-facing devices first, as they are the most likely targets. After patching, verify the update was successful by checking the firmware version on each device. Because this flaw allows for a full authentication bypass, delaying patches exposes the network perimeter to a trivial compromise.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

If immediate patching is not possible, the recommended workaround of disabling the FortiCloud SSO feature must be implemented. This is a critical compensating control that directly hardens the device against this specific attack vector. Administrators should connect to the CLI of each potentially vulnerable Fortinet device and run the command to disable forticloud-sso-login for all admin users. This action removes the vulnerable attack surface. This should be treated as a temporary measure, and a plan to patch the devices must still be pursued. This hardening action is a clear example of reducing the attack surface by disabling non-essential or vulnerable features, a core tenet of security best practices.

Local Account Monitoring

D3-LAMMaps to MITREM1026
D3FEND

For detection and post-remediation hunting, organizations must implement rigorous Local Account Monitoring on their Fortinet devices. All authentication logs from Fortinet appliances should be forwarded to a central SIEM. Create specific detection rules to alert on any successful login using the 'forticloud-sso-login' method, especially if it originates from an untrusted or unexpected IP address. Correlate these login events with subsequent actions, such as a configuration backup or modification of firewall rules. An alert that fires on 'Successful FortiCloud SSO Login from Anomalous IP' followed by 'Admin User Exports Configuration' would be a high-fidelity indicator of compromise related to this specific threat. This allows security teams to detect exploitation attempts and investigate potential breaches that occurred before patching.

Sources & References(when first published)

CISA Adds One Known Exploited Vulnerability to Catalog
CISA (cisa.gov) December 16, 2025
Known Exploited Vulnerabilities Catalog
CISA (cisa.gov) December 16, 2025
U.S. CISA adds a flaw in multiple Fortinet products to its Known Exploited Vulnerabilities catalog
Security Affairs (securityaffairs.com) December 17, 2025
CISA Adds Fortinet Signature Verification Vulnerability to KEV Catalog After Active Exploitation
Cyberpress (cyberpress.com) December 17, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISAKEVFortinetCVE-2025-59718SSOAuthentication BypassFortiOSVulnerabilityPatch Management

📢 Share This Article

Help others stay informed about cybersecurity threats