9.8

CVE-2025-59718

Warnung
Medienbericht
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FortinetFortiProxy Version >= 7.0.0 < 7.0.22
FortinetFortiProxy Version >= 7.2.0 < 7.2.15
FortinetFortiProxy Version >= 7.4.0 < 7.4.11
FortinetFortiProxy Version >= 7.6.0 < 7.6.4
FortinetFortiSwitch Manager Version >= 7.0.0 < 7.0.6
FortinetFortiSwitch Manager Version >= 7.2.0 < 7.2.7
FortinetFortiOS Version >= 7.0.0 < 7.0.18
FortinetFortiOS Version >= 7.2.0 < 7.2.12
FortinetFortiOS Version >= 7.4.0 < 7.4.9
FortinetFortiOS Version >= 7.6.0 < 7.6.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login

16.12.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability

Schwachstelle

Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 66.32% 0.992
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
psirt@fortinet.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
22.06.2026 16:39
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
22.06.2026 16:38
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 22:20
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
28.01.2026 09:50
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
22.01.2026 09:42
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.12.2025 09:47
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
10.12.2025 10:46
https://fortiguard.fortinet.com/psirt/FG-IR-25-647
Vendor Advisory
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718
US Government Resource
https://cert-portal.siemens.com/productcert/html/ssa-864900.html
Third Party Advisory