Potential Risk of CVE

When I read the article titled “FortiGate Edge Intrusions Lead to Deep Network Compromise, Rogue Workstations” on technadu.com, I was very curious to know if it was true. (16th Mar 2026)

Leave a comment

Preface: Quoting the second paragraph of the article: Because FortiOS uses reversible encryption ….

Please see the link for article details – https://www.technadu.com/fortigate-edge-intrusions-lead-to-deep-network-compromise-rogue-workstations/623060/

Using reversible encryption in a firewall—or any security system designed to protect credentials—is considered a major security risk because it essentially stores passwords in a format equivalent to plaintext. Reversible encryption allows the encrypted data to be decrypted back into its original form, meaning if an attacker compromises the system, they can obtain the original credentials, rather than just a non-reversible hash.

Background: In Active Directory (AD), abusing the mS-DS-MachineAccountQuota attribute means that an attacker uses its default value (usually 10) to allow ordinary low-privilege users to create new computer accounts in the domain.

A technique known as Resource-Limited Delegation (RBCD) attack. This is the most common form of abuse. If an attacker has specific privileges (such as GenericWrite) on a target server, they can use ms-DS-MachineAccountQuota to create a fake computer account and set it to “act on behalf of others,” thereby impersonating a domain administrator to log in to the target server.

CVE-2025-59718 and CVE-2025-59719 are critical authentication bypass vulnerabilities (CVSS score 9.8) that stem from improper verification of cryptographic signatures (CWE-347) within Fortinet’s SAML implementation

Why these vulnerabilities exist?

Signature Skipping: An unauthenticated remote attacker can send a specially crafted SAML message that the Fortinet device accepts without properly checking it against the trusted Identity Provider (IdP) certificate.

Improper Validation Logic: Because the system fails to correctly validate the XML Digital Signature, it does not confirm if the message actually came from the legitimate IdP or if it was modified in transit.

Administrative Access: By crafting a SAML response that claims to be from a trusted issuer (like sso.forticloud.com) and asserting a privileged identity (like super_admin), attackers can gain full administrative control over the device without needing a valid password or certificate. 

Official announcement: Please see the link for article details:

CVE-2025-59718 – https://nvd.nist.gov/vuln/detail/CVE-2025-59718

CVE-2025-59719 – https://nvd.nist.gov/vuln/detail/CVE-2025-59719

Remedial action:

-Perform the patch operation as recommended by the supplier.

-Use Powershell, Query accounts that have permissions for a specific object.

Get-DomainObjectAcl -Identity “TargetUser” -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match “GenericWrite”}

-Disabling FortiCloud SSO immediately via the CLI (set admin-forticloud-sso-login disable) or GUI.

-Auditing logs for unauthorized administrative logins, particularly from unfamiliar IP addresses or at unusual times.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.