External risk intelligence

Fortinet FortiWeb SAML Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-59719

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb may allow an unauthenticated attacker to bypass FortiCloud SSO authentication via a crafted SAML response, potentially enabling unauthorized access to protected applications.

5Halo Surface Signal

Fortinet Fortiweb

7.4.0 to 7.4.97.6.0 to 7.6.48.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-59719

FortiWeb is a web application firewall designed to be placed at the network edge. This vulnerability affects SAML authentication handled by the device, which is a public-facing function intended to manage external access to protected applications.

PCI scan relevance

PCI Relevance for CVE-2025-59719

Yes

CVE-2025-59719 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows an unauthenticated attacker to bypass FortiCloud SSO authentication via a crafted SAML response, which could lead to an ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Fortinet FortiWeb devices, which are often used as network security gateways. The issue allows an unauthorized attacker to bypass single sign-on authentication, potentially granting them access to protected applications.

Unauthenticated attackers can bypass login security.
Critical security control failure at the network edge.
Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this by sending a specially crafted SAML response to bypass FortiCloud's single sign-on authentication. This could grant them unauthorized access to protected applications.

Requires network access.
Triggered by a crafted SAML response.
Risk of unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could bypass FortiCloud Single Sign-On (SSO) login authentication by sending a specially crafted SAML response message, potentially impacting system access controls when the vulnerability is present.

System access controls.
Bypass authentication via crafted SAML.
Unauthorized access to protected applications.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects Fortinet FortiWeb web application firewalls. Given its placement at the network edge and its role in managing external access through SAML authentication, ownership likely falls to infrastructure, platform, or network/security teams responsible for the WAF's operation and security. The immediate first step should be to identify all deployed instances of the affected FortiWeb versions, confirm their external reachability and business criticality, and then engage the accountable owner to plan remediation based on the assessed risk.

Infrastructure or Security teams should own remediation.
Verify external reachability and asset criticality.
Plan and coordinate vendor-supported updates.

Frequently asked questions

What is FortiWeb and how is it used?

FortiWeb is a web application firewall (WAF) developed by Fortinet. It acts as a protective gateway positioned at the network edge to monitor and filter incoming traffic. Organizations use it to secure their web applications by inspecting requests, managing authentication, and blocking malicious activity before it reaches internal systems.

What does improper cryptographic signature verification mean in CVE-2025-59719?

This vulnerability, classified as CWE-347, involves a failure to correctly validate the digital signatures used in SAML communication. Because the system does not properly verify that the SAML response is authentic and untampered, it erroneously trusts incoming login data. In this specific CVE, it allows an attacker to bypass the intended FortiCloud Single Sign-On process.

How does an attacker trigger this SAML bypass?

An attacker triggers this flaw by sending a specially crafted SAML response message to the vulnerable FortiWeb device. The vulnerability relies on the device accepting this manipulated message as legitimate due to the signature verification failure. Simply navigating to the site or having general network traffic does not trigger the bug; the attacker must specifically supply a malicious SAML assertion designed to trick the authentication flow.

Is my FortiWeb instance at risk?

Halo Surface Signal indicates that FortiWeb is typically placed at the network edge, making instances accessible from the internet highly relevant for review. If your device handles SAML authentication for protected applications, it is a primary concern. You should check if your configuration relies on FortiCloud SSO, as this is the specific authentication mechanism impacted by the bypass.

What steps should I take to address this?

First, create an inventory of all FortiWeb instances running versions 7.4.x, 7.6.x, or 8.0.0 to confirm which are active. Once identified, evaluate their network placement and the criticality of the applications they protect. Coordinate with your infrastructure or security teams to prioritize these assets for vendor-supplied updates or security patches provided by Fortinet.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.