Potential Risk of CVE

Retrospective: CVE‑2025‑59718 and CVE‑2025‑59719 both involve weaknesses in how FortiCloud handles SSO authentication and authorization, but they are not only about attribute/role mapping. They relate more broadly to how SSO assertions are validated and how privilege assignment occurs. (29-01-2026)

Leave a comment

Preface: You can summarize it as: “FortiCloud MUST fail SSO login when mandatory SAML attributes are missing, malformed, incorrect, unsigned, or expired. No fallback admin privileges are permitted under any circumstance”.

Background: A patch for CVE-2025-59718 and CVE-2025-59719 contains a vulnerability that allows attackers to bypass SSO login verification via a carefully crafted SAML message, provided FortiCloud SSO is enabled on the affected device. Fortinet patched these issues last month. Last week, reports surfaced of malicious SSO login activity reappearing on FortiGate devices that had been patched for the two vulnerabilities, with attackers logging in using administrator accounts. This activity is similar to events that occurred shortly after the disclosure of CVE-2025-59718 and CVE-2025-59719 vulnerabilities last December.

Security Focus: Both CVE‑2025‑59718 and CVE‑2025‑59719 sit in the same category:

SSO trust + authorization enforcement weaknesses

Specifically, both are tied to situations where:

• FortiCloud accepts an SSO/SAML login

• But does not sufficiently enforce privilege/role restrictions

• Potentially allowing unintended or elevated administrator access

This is why they appear similar — they arise during:

“FortiCloud SSO + IAM authorization step after login.”

They do involve the handling of SAML/SSO attributes, but the underlying issue is broader than “incorrect mapping.”

Vulnerability details:

CVE-2025-59718 -A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Ref: https://nvd.nist.gov/vuln/detail/CVE-2025-59718

CVE-2025-59719 -An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Ref: https://nvd.nist.gov/vuln/detail/CVE-2025-59719

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.