CVE-2025-59719 is an improper access control vulnerability found in Fortinet FortiWeb versions 8.0.0, 7.6.0 through 7.6.4, and 7.4.0 through 7.4.9. The flaw arises from improper verification of cryptographic signatures within SAML response messages used in FortiCloud Single Sign-On (SSO) authentication. Specifically, the FortiWeb appliance fails to correctly validate the authenticity of the SAML response, allowing an attacker to craft a malicious SAML response that bypasses the authentication process entirely. This bypass enables an unauthenticated attacker to gain access to the system as if they were a legitimate user, without needing valid credentials or any user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible to attackers. The impact is severe, affecting confidentiality, integrity, and availability (C:H/I:H/A:H), as unauthorized access can lead to data disclosure, manipulation, and service disruption. The vulnerability has been assigned a CVSS v3.1 score of 9.1, reflecting its critical nature. Although no public exploits are currently known, the vulnerability's characteristics suggest that exploitation could be straightforward once a proof-of-concept is developed. FortiWeb is widely used for web application firewalling and secure access, making this vulnerability particularly dangerous in environments relying on FortiCloud SSO for authentication.

For European organizations, the impact of CVE-2025-59719 is substantial. FortiWeb appliances are commonly deployed to protect web applications and provide secure authentication via FortiCloud SSO. Exploitation of this vulnerability allows attackers to bypass authentication controls, potentially gaining unauthorized access to sensitive systems and data. This can lead to data breaches involving personal data protected under GDPR, resulting in legal and financial penalties. Additionally, attackers could manipulate or disrupt web applications, causing operational downtime and reputational damage. Critical sectors such as finance, healthcare, government, and telecommunications that rely on FortiWeb for security are at heightened risk. The vulnerability's network-exploitable nature means attackers can launch attacks remotely, increasing the threat surface. Given the criticality and ease of exploitation, European organizations must prioritize remediation to avoid severe confidentiality, integrity, and availability impacts.

1. Immediate application of vendor-provided patches or updates for FortiWeb versions 8.0.0, 7.6.0 through 7.6.4, and 7.4.0 through 7.4.9 once available. 2. If patches are not yet available, disable FortiCloud SSO integration temporarily to prevent exploitation via SAML response manipulation. 3. Implement strict network segmentation and access controls to limit exposure of FortiWeb appliances to untrusted networks. 4. Monitor authentication logs and SAML traffic for anomalies indicative of crafted or malformed SAML responses. 5. Employ multi-factor authentication (MFA) at other layers to reduce risk if SSO is compromised. 6. Conduct regular security assessments and penetration testing focusing on SSO and web application firewall configurations. 7. Educate security teams about this vulnerability and ensure incident response plans include scenarios involving SSO bypass. 8. Review and harden SAML configurations, including signature validation settings, to ensure compliance with best practices. 9. Engage with Fortinet support for guidance and early access to patches or mitigations.