CVE-2025-59718 is a critical security vulnerability identified in Fortinet's FortiSwitchManager and several FortiOS and FortiProxy versions. The root cause is an improper verification of cryptographic signatures in SAML response messages used for FortiCloud Single Sign-On (SSO) authentication. Specifically, the affected versions fail to correctly validate the cryptographic signature of the SAML response, allowing an unauthenticated attacker to craft a malicious SAML response that bypasses the authentication mechanism entirely. This vulnerability spans FortiOS versions 7.0.0 through 7.6.3, FortiProxy versions 7.0.0 through 7.6.3, and FortiSwitchManager versions 7.0.0 through 7.2.6. The flaw enables attackers to gain unauthorized access to administrative interfaces without credentials, potentially leading to full system compromise. The CVSS v3.1 score is 9.1 (critical), reflecting network exploitability without privileges or user interaction, and complete impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability's nature suggests high risk of future exploitation. The vulnerability undermines the trust model of SAML-based SSO, a widely used authentication standard, making it particularly dangerous in enterprise environments relying on Fortinet's security infrastructure.

The impact of CVE-2025-59718 is severe for organizations globally that deploy Fortinet FortiSwitchManager, FortiOS, or FortiProxy products within the affected versions. Successful exploitation allows unauthenticated attackers to bypass SSO authentication, granting them administrative access to network management interfaces. This can lead to unauthorized configuration changes, interception or manipulation of network traffic, deployment of malicious firmware or backdoors, and disruption of network availability. The compromise of these critical network components can cascade to broader enterprise network breaches, data exfiltration, and operational outages. Given Fortinet's widespread use in enterprise, government, and critical infrastructure sectors, the vulnerability poses a significant threat to confidentiality, integrity, and availability of network operations. The lack of required user interaction and the ability to exploit remotely over the network further amplify the risk. Although no exploits are currently known in the wild, the vulnerability's characteristics make it a prime target for threat actors aiming to gain persistent footholds in high-value networks.

1. Apply official patches and updates from Fortinet immediately once they are released for all affected FortiOS, FortiProxy, and FortiSwitchManager versions. 2. Until patches are available, restrict network access to Fortinet management interfaces using firewall rules and VPNs to limit exposure to trusted administrators only. 3. Implement strict network segmentation to isolate Fortinet management systems from general user networks and the internet. 4. Enable and monitor detailed logging and alerting on Fortinet devices for anomalous authentication attempts or unexpected SAML responses. 5. Conduct regular audits of Fortinet device configurations and access controls to detect unauthorized changes. 6. Consider disabling FortiCloud SSO integration temporarily if feasible, or enforce multi-factor authentication on management interfaces as an additional layer of defense. 7. Educate security teams on the nature of SAML signature verification flaws and prepare incident response plans for potential exploitation scenarios. 8. Collaborate with Fortinet support and subscribe to threat intelligence feeds for updates on exploit developments and mitigation guidance.