CrowdSec

VulnTracking
CVE-2025-59718

Fortinet’s Early Christmas Gift to Attackers: SAML Authentication Bypass

The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2025-59718, a critical authentication bypass vulnerability in Fortinet products.

Key findings

  • Vulnerability released: December 9, 2025. 
  • CISA KEV added: December 16, 2025
  • CrowdSec detection rule added: December 17, 2025
  • Exploitation trend: CrowdSec has detected initial probing signals shortly after tracking this CVE. This trend will likely strengthen with the addition of the CVE to the CISA Known Exploited Vulnerabilities (KEV) catalog.
  • Attack profile: Threat actors are using advanced reconnaissance to identify vulnerable Fortinet instances, treating this vulnerability as a “skeleton key” for enterprise networks.

What is Fortinet FortiOS & FortiProxy?

Fortinet‘s FortiOS, FortiProxy, and FortiSwitchManager are the operating systems and management platforms that power Fortinet’s security appliances. These are the gatekeepers of enterprise networks, used by IT administrators and security teams to protect infrastructure from… Well, exactly this kind of thing.

Why it matters: It’s almost Christmas, and Fortinet seems to have wrapped up a present for CVE hunters and threat actors alike. This isn’t just a bug; it’s a critical authentication bypass with a CVSS of 9.8 (for version 3.1). If you use Fortinet to secure your network, this vulnerability allows an unauthenticated attacker to bypass the FortiCloud Single Sign-On (SSO) login, potentially granting them administrative access to your security appliances.

About CVE-2025-59718

This vulnerability stems from an improper verification of cryptographic signatures (CWE-347) in the SAML authentication process.

  • Mechanism: An attacker sends a crafted SAMLResponse to the /remote/saml/login endpoint.
  • Result: The system fails to properly verify the signature, accepting the forged response and logging the attacker in, no valid credentials required.

This incident is a classic example of a “trust but don’t verify” failure, which is particularly concerning given that the product’s primary function is, by definition, verification.

Trend analysis

According to CrowdSec Threat Intelligence, exploitation of CVE-2025-59718 is in its infancy. While our specific sensor snapshot shows the initial sparks, we are expecting more attackers to jump on the adventure soon. Since the CVE was added to the CISA Known Exploited Vulnerability (KEV) catalog, it will probably become more popular. The attacks are currently low-volume but high-impact, typical of sophisticated actors establishing a foothold before the holidays.

How to protect your systems

  • Patch immediately. Fortinet has released updates. Ensure you are running a fixed version:
    • FortiOS: Upgrade to 7.6.4, 7.4.9, 7.2.12, or 7.0.18 or later.
    • FortiProxy: Upgrade to 7.6.4, 7.4.11, 7.2.15, or 7.0.22 or later.
    • FortiSwitchManager: Upgrade to 7.2.7 or 7.0.6 or later.
  • Take Action: Crowdsec automatically detects probing attempts for CVE-2025-55182, as well as hundreds of other vulnerabilities. 
  • Stay Proactive: Subscribe to CrowdSec’s specialized blocklist to gain instant protection for IPs targeting the most harmful vulnerabilities.

WRITTEN BY