High

On December 16, 2025, CISA officially added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog, designating a critical remediation deadline of December 23, 2025. This vulnerability is actively exploited in the wild, posing an immediate threat to enterprise networks. It affects multiple Fortinet products, including FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb, and allows attackers to bypass FortiCloud Single Sign-On (SSO) via specially crafted SAML messages, effectively granting unauthorized network access without valid credentials.

The flaw stems from improper verification of cryptographic signatures (CWE-347), making it an authentication bypass vulnerability. A related vulnerability, CVE-2025-59719, shares the same root cause and is documented alongside CVE-2025-59718, emphasizing the need for comprehensive patching across all affected systems. The attack vector is unauthenticated and network-based, meaning attackers do not require prior access or credentials to exploit the flaw, increasing its risk for exposed edge security devices and web application firewalls.

Fortinet has released vendor advisories addressing the issue, and administrators are urged to apply all available patches immediately. CISA’s inclusion of this vulnerability in the KEV catalog mandates compliance with federal security guidance, particularly for organizations operating cloud services. Agencies and enterprises are advised to follow BOD 22-01 guidance when implementing Fortinet cloud solutions, while environments unable to patch immediately should consider discontinuing vulnerable products until mitigations are verified.

Security teams must prioritize inventory audits of affected Fortinet products and initiate emergency patching procedures to meet the December 23 deadline. While there is no confirmed link to ransomware campaigns at present, the active exploitation underscores the urgency of remediation. Timely patching is critical to prevent credential-free network intrusion and maintain regulatory compliance, especially for systems exposed to the internet or handling sensitive enterprise data.