External risk intelligence

Fortinet SSO Authentication Bypass Vulnerability

CVE advisoryKnown Exploit

CVE-2025-59718

A vulnerability in Fortinet products allows unauthorized access by bypassing SSO authentication. This impacts affected organizations by potentially exposing systems and data, creating business risk. Organizations should identify affected assets and apply vendor fixes.

5Halo Surface Signal

Fortinet Fortiproxy

7.0.0 to before 7.0.227.2.0 to before 7.2.157.4.0 to before 7.4.117.6.0 to before 7.6.47.0.0 to before 7.0.67.2.0 to before 7.2.77.0.0 to before 7.0.187.2.0 to before 7.2.127.4.0 to...

External exposure likelihood

Halo Surface Signal score for CVE-2025-59718

This vulnerability affects FortiOS, FortiProxy, and FortiSwitchManager, which are typically deployed as internet-facing edge gateways, security appliances, and identity access controllers. SAML SSO authentication endpoints on these devices are designed to be reachable for remote user authentication, making them inherently exposed to the public internet in normal, common deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

Fortinet products, including FortiOS, FortiProxy, and FortiSwitchManager, are affected by a vulnerability related to the verification of cryptographic signatures. This flaw permits an unauthenticated attacker to circumvent the FortiCloud Single Sign-On (SSO) login process. Such a bypass could lead to unauthorized access to systems and data, potentially impacting organizational security and operational integrity.

Vulnerable Fortinet products
Flaw bypasses SSO authentication
Unauthorized access to systems

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can bypass FortiCloud SSO login authentication by sending a specially crafted SAML response. This allows the attacker to gain unauthorized access to the system. The vulnerability exists in the verification of cryptographic signatures within the SAML authentication process.

Exposure condition: SAML SSO authentication is exposed.
Attacker starting point: Network access.
Trigger and result: Crafted SAML response bypasses authentication.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability exists within several Fortinet products, including FortiOS, FortiProxy, and FortiSwitchManager. This flaw allows an attacker to bypass authentication for FortiCloud Single Sign-On (SSO) by sending a specially crafted SAML response. Successful exploitation could lead to unauthorized access to systems and sensitive data, posing a significant business risk. The vulnerability has been identified as actively exploited, increasing the urgency for remediation.

Attackers require low skill.
No access or conditions needed.
Business risk is high, treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability permits an unauthenticated attacker to bypass FortiCloud SSO authentication by submitting a specially crafted SAML response. The impact can include unauthorized access to systems and data. Organizations should take immediate steps to identify and protect against this risk.

Identify all affected Fortinet assets.
Reduce exposure or isolate risk.
Apply vendor fixes, verify, and monitor.

Frequently asked questions

What is Fortinet FortiOS and what are its primary functions?

Fortinet FortiOS is the operating system for Fortinet's security devices, forming the core of their Security Fabric. It integrates networking and security functions, providing advanced threat protection, visibility, and control across hybrid environments. Key capabilities include SD-WAN, AI-driven threat prevention, and unified management for IT and OT infrastructure.

How does CVE-2025-59718 exploit an improper verification of cryptographic signatures (CWE-347)?

CVE-2025-59718 is a CWE-347 vulnerability where the system fails to properly verify the cryptographic signature on SAML responses. This allows an attacker to submit a crafted, illegitimate SAML message, which is then accepted as valid, bypassing the authentication process for FortiCloud SSO.

What is the trigger path for bypassing FortiCloud SSO authentication in CVE-2025-59718?

The trigger path involves an unauthenticated attacker sending a specially crafted SAML response message to the vulnerable device's authentication endpoint, typically targeting the /remote/saml/login path. The device's failure to validate the signature on this crafted response allows the bypass.

How does Halo Surface Signal assess the relevance of CVE-2025-59718 for internet-facing devices?

Halo Surface Signal assesses CVE-2025-59718 as very likely to affect internet-facing devices because Fortinet products like FortiOS, FortiProxy, and FortiSwitchManager are commonly deployed as edge gateways and security appliances with SAML SSO authentication endpoints exposed for remote user access.

What are the recommended steps to remediate CVE-2025-59718?

Immediate remediation includes applying the latest security patches from Fortinet for affected products. Workarounds involve temporarily disabling the FortiCloud SSO feature and restricting access to management interfaces. Organizations should also review logs for suspicious activity and reset credentials if compromise is suspected.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.