CVE-2025-59718 is a critical security vulnerability discovered in Fortinet's FortiOS, FortiProxy, and FortiSwitchManager products across multiple versions (FortiOS 7.0.0 through 7.6.3, FortiProxy 7.0.0 through 7.6.3, FortiSwitchManager 7.0.0 through 7.2.6). The root cause is an improper verification of cryptographic signatures in SAML response messages used by FortiCloud Single Sign-On (SSO) authentication. This flaw allows an unauthenticated attacker to craft a malicious SAML response that bypasses the authentication mechanism, effectively granting unauthorized access to the system. The vulnerability impacts confidentiality, integrity, and availability, as attackers can gain full control without any user interaction or prior authentication. The CVSS v3.1 base score of 9.1 (critical) reflects the ease of exploitation (network vector, low complexity, no privileges required, no user interaction) and the severe impact on all security properties. Although no public exploits are reported yet, the vulnerability is highly likely to be targeted due to the widespread use of Fortinet products in enterprise and critical infrastructure environments. The improper cryptographic verification suggests a failure in validating the authenticity and integrity of SAML assertions, which are fundamental to secure federated identity management. This could lead to unauthorized access to sensitive network resources, data exfiltration, and potential lateral movement within affected networks. The vulnerability affects multiple Fortinet products that are widely deployed in European organizations for firewalling, proxy services, and network management, making it a significant threat vector.

For European organizations, the impact of CVE-2025-59718 is substantial. Fortinet products are extensively used across Europe in government, finance, telecommunications, and critical infrastructure sectors. Exploitation of this vulnerability allows attackers to bypass authentication controls, potentially gaining administrative access to network security devices. This can lead to unauthorized data access, manipulation of network traffic, disruption of services, and deployment of further attacks such as ransomware or espionage. The breach of SSO authentication undermines trust in identity management systems, increasing the risk of persistent threats and insider-like access. Given the criticality of affected systems in network perimeter defense and internal segmentation, a successful attack could compromise entire organizational networks. The lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Additionally, the vulnerability could be leveraged to target European Union institutions and companies subject to strict data protection regulations (e.g., GDPR), resulting in legal and financial repercussions.

Organizations should immediately inventory their Fortinet devices to identify affected versions of FortiOS, FortiProxy, and FortiSwitchManager. Although no patch links are provided yet, it is imperative to monitor Fortinet advisories and apply security updates as soon as they become available. In the interim, administrators should consider disabling FortiCloud SSO integration or restricting SAML authentication to trusted identity providers with additional verification layers. Implement network segmentation to isolate management interfaces and restrict access to Fortinet devices to trusted administrative networks only. Enable and closely monitor detailed authentication and access logs for anomalous SAML responses or unexpected login attempts. Employ multi-factor authentication (MFA) on all administrative accounts to add an additional security layer. Conduct penetration testing and vulnerability assessments focusing on SAML authentication flows to detect potential exploitation. Finally, establish incident response plans tailored to potential compromise scenarios involving Fortinet devices.