CVE-2025-59718 is a critical security vulnerability identified in Fortinet's FortiSwitchManager and several FortiOS and FortiProxy versions. The root cause is an improper verification of cryptographic signatures within SAML response messages used for FortiCloud Single Sign-On (SSO) authentication. Specifically, the affected versions fail to correctly validate the cryptographic signature of the SAML response, allowing an unauthenticated attacker to craft a malicious SAML response that bypasses the authentication mechanism entirely. This bypass enables the attacker to gain unauthorized access to the management interface without any credentials or user interaction. The vulnerability spans multiple Fortinet products and versions, including FortiOS 7.0.0 through 7.6.3, FortiProxy 7.0.0 through 7.6.3, and FortiSwitchManager 7.0.0 through 7.2.6. The CVSS v3.1 base score is 9.1, reflecting the ease of remote exploitation (no authentication or user interaction required) and the severe impact on confidentiality, integrity, and availability of the affected systems. Exploitation could lead to full compromise of network management infrastructure, enabling attackers to manipulate network configurations, intercept or redirect traffic, and disrupt services. Although no public exploits are currently known, the critical nature of the flaw and the widespread use of Fortinet products in enterprise environments make it a high-priority threat. The vulnerability was publicly disclosed on December 9, 2025, with Fortinet expected to release patches to address the issue. Until patches are applied, organizations remain vulnerable to remote compromise via malicious SAML responses targeting FortiCloud SSO.

For European organizations, the impact of CVE-2025-59718 is substantial due to the widespread deployment of Fortinet products in enterprise and critical infrastructure networks. Successful exploitation allows attackers to bypass authentication controls and gain unauthorized administrative access to FortiSwitchManager and related Fortinet management platforms. This can lead to full compromise of network devices, enabling attackers to alter configurations, intercept sensitive data, disrupt network operations, and potentially move laterally within the network. Confidentiality is severely impacted as attackers can access sensitive network management data and credentials. Integrity is compromised through unauthorized configuration changes, and availability can be affected by deliberate disruption or misconfiguration of network devices. Given the critical role of Fortinet devices in securing network perimeters and internal segments, exploitation could facilitate large-scale cyberattacks, data breaches, or service outages. European organizations in sectors such as finance, telecommunications, government, and energy are particularly at risk due to their reliance on Fortinet solutions for secure network management and cloud authentication. The lack of required authentication and user interaction makes this vulnerability highly exploitable, increasing the urgency for mitigation.

1. Apply official patches from Fortinet immediately once they are released for all affected FortiOS, FortiProxy, and FortiSwitchManager versions. 2. Until patches are available, restrict network access to FortiSwitchManager and related management interfaces using strict firewall rules and network segmentation to limit exposure to trusted administrative hosts only. 3. Monitor SAML authentication traffic for unusual or malformed SAML responses that could indicate exploitation attempts. 4. Implement multi-factor authentication (MFA) for FortiCloud SSO wherever possible to add an additional layer of security beyond SAML assertions. 5. Conduct regular audits of Fortinet device configurations and access logs to detect unauthorized access or configuration changes. 6. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous SAML traffic or known attack patterns targeting Fortinet products. 7. Educate network administrators about the vulnerability and ensure they follow secure operational procedures, including using dedicated management networks. 8. Consider deploying additional endpoint and network monitoring tools to detect lateral movement or suspicious activities post-compromise. These measures collectively reduce the attack surface and improve detection and response capabilities while awaiting patch deployment.