CISA has officially added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog on December 16, 2025.
Designating a critical deadline of December 23, 2025, for organizations to apply necessary remediation measures.
This action reflects the vulnerability’s active exploitation in the wild and the immediate threat it poses to enterprise networks.
The vulnerability affects multiple Fortinet security products, including FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb.
The flaw lies in the improper verification of cryptographic signatures, allowing unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) authentication via specially crafted SAML messages.
This authentication bypass vulnerability provides a direct path to unauthorized network access without requiring valid credentials.
Fortinet has addressed this issue through vendor advisories, with administrators instructed to apply all available patches immediately.
| Detail | Information |
|---|---|
| CVE ID | CVE-2025-59718 |
| CWE Classification | CWE-347 (Improper Verification of Cryptographic Signature) |
| Vulnerability Type | Authentication Bypass via SAML |
| Attack Vector | Unauthenticated, Network-based |
A related vulnerability, CVE-2025-59719, pertains to the same underlying issue and is documented in the same advisory, requiring comprehensive patching across affected systems.
The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature), highlighting the specific weakness in the authentication mechanism.
CISA’s inclusion in the KEV catalog mandates compliance with federal security guidance, particularly for agencies operating cloud services.
Organizations must follow applicable BOD 22-01 guidance when implementing cloud-based Fortinet solutions.
For environments where patches cannot be immediately deployed, CISA recommends discontinuing product use until mitigations are available and verified.
The timing of this KEV addition is significant, as active exploitation indicates threat actors are already leveraging this vulnerability in operational attacks.
However, CISA’s current assessment does not conclusively link the vulnerability to ransomware campaigns, though this classification may evolve as threat intelligence develops.
Security teams should prioritize remediation of CVE-2025-59718 within their patch management cycles. Particularly for edge security appliances and web application firewalls that may be directly exposed to the internet.
Organizations running affected Fortinet products should immediately audit their deployment inventory.
And initiate emergency patching procedures before the December 23 deadline to maintain compliance and prevent credential-free network intrusion.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
