CVE-2025-59718 is a critical authentication bypass vulnerability affecting the FortiCloud Single Sign-On (SSO) feature. Classified as an Improper Verification of Cryptographic Signature (CWE-347), this flaw permits unauthenticated remote attackers to gain administrative access.
Attackers can exploit this by submitting a specially crafted SAML (Security Assertion Markup Language) packet to the /remote/saml/login endpoint.
This issue impacts various versions of FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb.
In this blog post, we will explain FortiCloud SSO and how CVE-2025-59718 affects this product.
FortiCloud Single Sign-On (SSO) is a centralized authentication feature that permits administrative access to devices using FortiCloud credentials.
By default, this functionality is disabled in factory settings. However, the feature is automatically enabled if a device is registered to FortiCare via the Graphical User Interface (GUI), unless the "Allow administrative login using FortiCloud SSO" option is explicitly disabled during the registration process [1].
The vulnerability is classified as an Improper Verification of Cryptographic Signature (CWE-347). It exists within the processing of SAML responses used for FortiCloud SSO authentication. Due to the lack of correct signature validation, the device accepts the malicious SAML message, granting the attacker administrative access [2].
An attacker can exploit this vulnerability by crafting a malicious SAMLResponse sent to the /remote/saml/login endpoint that claims to be from a trusted issuer (e.g., https://sso.forticloud.com) and asserts the identity of a privileged user, such as super_admin. Because the system fails to validate the cryptographic signature of the SAML assertion, it is accepted as valid. This allows unauthorized actors to gain privileged access to the device.
Here is an example part of the payload sent in the POST request body [3]:
|
<samlp:Response ... |
This example includes an attribute role with the value super_admin, attempting to gain privileged access immediately upon login.
We also strongly suggest simulating the FortiCloud SSO CVE-2025-59718 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for FortiCloud SSO CVE-2025-59718 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
31317 |
FortiProxy Web Attack Campaign |
Web Application |
|
85726 |
FortiOS Web Attack Campaign |
Web Application |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
[1] “PSIRT,” FortiGuard Labs. Accessed: Jan. 23, 2026. [Online]. Available: https://fortiguard.fortinet.com/psirt/FG-IR-25-647
[2] “NVD - CVE-2025-59718.” Accessed: Jan. 23, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-59718
[3] K. J. (Exfil0), exploit.py at main · exfil0/CVE-2025-59718-PoC. Github. Accessed: Jan. 23, 2026. [Online]. Available: https://github.com/exfil0/CVE-2025-59718-PoC/blob/main/exploit.py