The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog, marking the latest Fortinet vulnerability being actively exploited in the wild.
The flaw affects multiple Fortinet products and poses a significant threat to organisations relying on FortiCloud single sign-on (SSO) authentication.
Vulnerability Details
CVE-2025-59718 represents an improper verification of cryptographic signature vulnerability affecting Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb.
The security flaw enables unauthenticated attackers to bypass FortiCloud SSO login authentication by crafting malicious SAML messages.
This attack vector is particularly dangerous because it requires no prior authentication or special privileges, making it accessible to threat actors with minimal technical barriers.
The vulnerability stems from inadequate cryptographic signature validation during the SAML authentication process, classified under CWE-347.
A related flaw, CVE-2025-59719, addresses the same underlying issue and is documented in Fortinet’s advisory, requiring organizations to apply all recommended patches.
CISA added this vulnerability to the KEV catalog on December 16, 2025, with a seven-day remediation deadline of December 23, 2025.
The expedited timeline reflects the active exploitation of this flaw in real-world environments. Organizations using affected Fortinet products must treat this as a critical priority.
While current intelligence does not confirm this vulnerability’s use in ransomware campaigns, the active exploitation combined with the authentication bypass capability creates considerable risk.
Attackers could potentially gain unauthorized access to critical infrastructure and networks, establishing initial footholds for subsequent intrusions.
CISA guidance emphasizes immediate remediation following vendor instructions. Organizations should prioritize applying all patches mentioned in Fortinet’s security advisory for CVE-2025-59718 and CVE-2025-59719.
For systems where patches cannot be immediately deployed, administrators must implement available mitigations or consider discontinuing use of the product per BOD 22-01 compliance requirements, particularly for cloud services.
Security teams should verify their inventory of Fortinet products, prioritize patching, and monitor for suspicious SAML authentication attempts that may indicate exploitation attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.