CVE-2025-59718: Critical Authentication Bypass in Fortinet Products Under Active Exploitation

CVE ID: CVE-2025-59718

Severity: CRITICAL | CVSS Score: 9.8

Attack Vector: NETWORK | Authentication Required: NONE

Sources: 3 different security sources including CISA KEV Catalog

What You Need to Know

Let me explain what's happening here, because this is one of those situations where we need to act quickly. Fortinet has disclosed a critical vulnerability in their FortiGate, FortiProxy, and FortiSwitchManager products that allows attackers to completely bypass authentication—no username, no password, nothing required. Think of it like someone finding a way to walk right through your locked front door without even touching the lock. What makes this particularly urgent is that CISA added this vulnerability to their Known Exploited Vulnerabilities catalog on December 16, 2025, which means attackers are already using it in the wild. Arctic Wolf reported observing active intrusions just days after the vulnerability was publicly disclosed.

A Bit More Detail

This vulnerability affects the FortiCloud Single Sign-On (SSO) authentication mechanism, specifically how these devices verify SAML (Security Assertion Markup Language) response messages. SAML is like a digital passport that proves you've already authenticated with a trusted identity provider—except in this case, attackers figured out how to forge that passport because Fortinet's products weren't properly checking the cryptographic signatures that are supposed to prove the passport is genuine. The vulnerability carries a CVSS score of 9.8 out of 10, which is about as serious as it gets, because it can be exploited remotely over the network without any authentication and without requiring the user to do anything.

The Technical Specifics

• Vulnerability Type: CWE-347 (Improper Verification of Cryptographic Signature)
• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)
• Impact: High confidentiality, integrity, and availability impact
• Affected Products and Versions:
  • FortiOS 7.6.0 through 7.6.3
  • FortiOS 7.4.0 through 7.4.8
  • FortiOS 7.2.0 through 7.2.11
  • FortiOS 7.0.0 through 7.0.17
  • FortiProxy 7.6.0 through 7.6.3
  • FortiProxy 7.4.0 through 7.4.10
  • FortiProxy 7.2.0 through 7.2.14
  • FortiProxy 7.0.0 through 7.0.21
  • FortiSwitchManager 7.2.0 through 7.2.6
  • FortiSwitchManager 7.0.0 through 7.0.5
• First Disclosed: December 9, 2025 by Fortinet
• Active Exploitation Confirmed: December 12, 2025 by Arctic Wolf (as reported by The Hacker News)
• Added to CISA KEV: December 16, 2025

Understanding the Vulnerability

Here's what makes this vulnerability particularly dangerous. When you use single sign-on, you're essentially trusting a third-party identity provider to verify who someone is. The identity provider sends a digitally signed message (the SAML response) that says "Yes, this person is who they claim to be." The digital signature is like a wax seal on an official document—it's supposed to prove the document is authentic and hasn't been tampered with.

In this case, Fortinet's products weren't properly verifying those digital signatures. An attacker could craft a fake SAML response message, and the Fortinet device would accept it as legitimate. This means an unauthenticated attacker—someone with no credentials whatsoever—could gain complete administrative access to your FortiGate firewall, FortiProxy, or FortiSwitchManager just by sending a specially crafted message over the network.

What's particularly concerning is how quickly this moved from disclosure to active exploitation. Fortinet published their advisory on December 9, 2025, and by December 12—just three days later—Arctic Wolf was already observing malicious SSO logins on FortiGate appliances in real-world environments. This rapid weaponization tells us that either the vulnerability is relatively straightforward to exploit, or threat actors had advance knowledge and were ready to move quickly.

The Timeline of Events

Let me walk you through how this unfolded, because the timeline is important for understanding the urgency:

• December 9, 2025: Fortinet publicly disclosed CVE-2025-59718 in their security advisory FG-IR-25-647
• December 12, 2025: Arctic Wolf observed active intrusions exploiting this vulnerability through malicious SSO logins
• December 16, 2025: CISA added CVE-2025-59718 to their Known Exploited Vulnerabilities catalog, confirming widespread active exploitation
• December 16, 2025: The Hacker News reported on the active attacks, noting that threat actors began exploitation less than a week after public disclosure

What You Should Do About This

Now, let's talk about protecting yourself. This is a situation where we need to move quickly but carefully.

Immediate Actions (Do These Right Now):

• Identify Affected Systems: Create an inventory of all FortiGate, FortiProxy, and FortiSwitchManager devices in your environment. Check their versions against the affected version list above. If you're running any of those versions, assume you're vulnerable.
• Review Authentication Logs: Look for unusual SSO login activity, particularly any successful authentications that seem suspicious or don't correlate with known user activity. Pay special attention to any administrative logins via FortiCloud SSO between December 9 and now.
• Check for Indicators of Compromise: Look for unexpected configuration changes, new administrative accounts, unusual firewall rule modifications, or any signs that someone has been poking around in your systems.
• Consider Temporary Mitigations: If you're using FortiCloud SSO and can't patch immediately, consider temporarily disabling this authentication method if your environment allows it. This is a tough call because it might disrupt legitimate access, but it closes the door attackers are using.

For the Long Term (Your Permanent Fix):

• Apply Security Updates: Visit Fortinet's security advisory at https://fortiguard.fortinet.com/psirt/FG-IR-25-647 for specific patching guidance. Fortinet has released updates that properly verify SAML signature cryptography. Test these updates in a non-production environment first if possible, but don't delay too long—this is being actively exploited.
• Implement Defense in Depth: Even after patching, consider implementing additional authentication controls. Multi-factor authentication, network segmentation, and restricting administrative access to trusted networks can all help limit the impact if another vulnerability is discovered.
• Monitor Continuously: Set up alerts for any SSO authentication activity, particularly administrative logins. You want to know immediately if someone is accessing your security infrastructure.
• Review Your Incident Response Plan: If you haven't already, assume potential compromise and conduct a thorough security review of any affected systems. Look for persistence mechanisms, backdoors, or configuration changes that an attacker might have made.

Detection and Hunting Guidance

For those of you with security operations teams, here's what to look for:

• Log Analysis: Review FortiGate, FortiProxy, and FortiSwitchManager authentication logs for successful SSO logins, particularly those that resulted in administrative access. Look for patterns that don't match normal user behavior.
• Configuration Audits: Compare current device configurations against known-good baselines. Look for unauthorized changes to firewall rules, VPN configurations, administrative accounts, or any other security-relevant settings.
• Network Traffic Analysis: Monitor for unusual outbound connections from your Fortinet devices, which could indicate command-and-control communication if an attacker gained access.
• Timeline Correlation: Any suspicious activity on these devices after December 9, 2025 should be investigated with the assumption that this vulnerability might have been exploited.

Why CISA's Involvement Matters

When CISA adds a vulnerability to their Known Exploited Vulnerabilities catalog, it's not just a recommendation—for federal agencies, it's a mandate to patch within a specific timeframe. But even if you're not a federal agency, you should pay attention when CISA takes this step. It means they have credible evidence that attackers are actively using this vulnerability in real-world attacks. CISA's credibility rating of 10 out of 10 in our source analysis reflects their authoritative position and access to threat intelligence from across the government and private sector.

The Broader Context

This vulnerability is particularly noteworthy because it affects network security devices—the very infrastructure we rely on to protect everything else. When your firewall or proxy can be compromised without authentication, an attacker doesn't just get access to one system; they potentially get access to your entire network. They can modify firewall rules to allow malicious traffic, intercept and decrypt VPN connections, or use the compromised device as a pivot point to attack internal systems.

The Hacker News reported that this vulnerability is being exploited alongside CVE-2025-59719, another authentication bypass affecting Fortinet products. While our focus here is on CVE-2025-59718, this pattern of multiple authentication bypasses being exploited together suggests a coordinated campaign by sophisticated threat actors.

Where I Found This Information

• National Vulnerability Database (NVD) - CVE-2025-59718 (Authoritative source for CVSS scoring and technical details)
• CISA - Known Exploited Vulnerability Alert (Credibility: 10/10 - Confirmed active exploitation)
• The Hacker News - Fortinet FortiGate Under Active Attack (Credibility: 7/10 - Reported Arctic Wolf's observations of active intrusions)
• Fortinet Security Advisory FG-IR-25-647 (Vendor advisory with patching guidance)
• Cisco Talos Intelligence - Threat Source Newsletter (Credibility: 9/10 - Context on current threat landscape)

Note: This analysis is based on publicly available information from multiple authoritative sources as of December 18, 2025. The situation is evolving rapidly, and you should monitor Fortinet's security advisories for the latest updates. Always test security updates in a controlled environment when possible, but given the active exploitation of this vulnerability, rapid deployment may be necessary. If you believe your systems may have been compromised, consider engaging incident response professionals to assist with investigation and remediation.