CVE-2025-59718: Critical FortiCloud SSO Authentication Bypass

CVE-2025-59718 is a critical authentication bypass vulnerability affecting the FortiCloud Single Sign-On (SSO) feature. Classified as an Improper Verification of Cryptographic Signature (CWE-347), this flaw permits unauthenticated remote attackers to gain administrative access.

Attackers can exploit this by submitting a specially crafted SAML (Security Assertion Markup Language) packet to the /remote/saml/login endpoint.

This issue impacts various versions of FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb.

In this blog post, we will explain FortiCloud SSO and how CVE-2025-59718 affects this product.

What is FortiCloud SSO?

FortiCloud Single Sign-On (SSO) is a centralized authentication feature that permits administrative access to devices using FortiCloud credentials.

By default, this functionality is disabled in factory settings. However, the feature is automatically enabled if a device is registered to FortiCare via the Graphical User Interface (GUI), unless the "Allow administrative login using FortiCloud SSO" option is explicitly disabled during the registration process [1].

How Does the CVE-2025-59718 in FortiCloud SSO Work?

The vulnerability is classified as an Improper Verification of Cryptographic Signature (CWE-347). It exists within the processing of SAML responses used for FortiCloud SSO authentication. Due to the lack of correct signature validation, the device accepts the malicious SAML message, granting the attacker administrative access [2].

An attacker can exploit this vulnerability by crafting a malicious SAMLResponse sent to the /remote/saml/login endpoint that claims to be from a trusted issuer (e.g., https://sso.forticloud.com) and asserts the identity of a privileged user, such as super_admin. Because the system fails to validate the cryptographic signature of the SAML assertion, it is accepted as valid. This allows unauthorized actors to gain privileged access to the device.

Here is an example part of the payload sent in the POST request body [3]:

This example includes an attribute role with the value super_admin, attempting to gain privileged access immediately upon login.

How Picus Helps Simulate FortiCloud SSO CVE-2025-59718 Attacks?

We also strongly suggest simulating the FortiCloud SSO CVE-2025-59718 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for FortiCloud SSO CVE-2025-59718 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• CVE-2025-59718 is a critical authentication bypass vulnerability within the FortiCloud Single Sign-On feature that allows unauthenticated remote attackers to gain administrative access.
• The vulnerability is caused by the improper verification of cryptographic signatures (CWE-347) during the processing of SAML responses sent to the /remote/saml/login endpoint.
• The issue impacts various versions of Fortinet products, specifically FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb.
• The Picus Security Validation Platform can simulate the FortiCloud SSO CVE-2025-59718 vulnerability using the Web Application attack module to test the effectiveness of existing security controls.

References

[1] “PSIRT,” FortiGuard Labs. Accessed: Jan. 23, 2026. [Online]. Available: https://fortiguard.fortinet.com/psirt/FG-IR-25-647

[2] “NVD - CVE-2025-59718.” Accessed: Jan. 23, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-59718

[3] K. J. (Exfil0), exploit.py at main · exfil0/CVE-2025-59718-PoC. Github. Accessed: Jan. 23, 2026. [Online]. Available: https://github.com/exfil0/CVE-2025-59718-PoC/blob/main/exploit.py