CISA Adds Fortinet Signature Verification Vulnerability to KEV Catalog After Active Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog, marking the latest Fortinet vulnerability being actively exploited in the wild.

The flaw affects multiple Fortinet products and poses a significant threat to organisations relying on FortiCloud single sign-on (SSO) authentication.

Vulnerability Details

CVE-2025-59718 is an improper cryptographic signature verification vulnerability affecting Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb.

The security flaw enables unauthenticated attackers to bypass FortiCloud SSO login authentication by crafting malicious SAML messages.

This attack vector is particularly dangerous because it requires no prior authentication or special privileges, making it accessible to threat actors with minimal technical barriers.

The vulnerability stems from inadequate cryptographic signature validation during the SAML authentication process, classified under CWE-347.

A related flaw, CVE-2025-59719, addresses the same underlying issue and is documented in Fortinet’s advisory, requiring organisations to apply all recommended patches.

CISA added this vulnerability to the KEV catalog on December 16, 2025, with a seven-day remediation deadline of December 23, 2025.

The expedited timeline reflects the active exploitation of this flaw in real-world environments. Organisations using affected Fortinet products must treat this as a critical priority.

While current intelligence does not confirm this vulnerability’s use in ransomware campaigns, the active exploitation, combined with the authentication bypass capability, creates considerable risk.

Attackers could potentially gain unauthorised access to critical infrastructure and networks, establishing initial footholds for subsequent intrusions.

CISA guidance emphasises immediate remediation in accordance with vendor instructions. Organisations should prioritise applying all patches mentioned in Fortinet’s security advisory for both CVE-2025-59718 and CVE-2025-59719.

For systems where patches cannot be deployed immediately, administrators must implement available mitigations or consider discontinuing use of the product to comply with BOD 22-01, particularly for cloud services.

Security teams should verify their inventory of Fortinet products, prioritise patching, and monitor for suspicious SAML authentication attempts that may indicate exploitation attempts.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post CISA Adds Fortinet Signature Verification Vulnerability to KEV Catalog After Active Exploitation appeared first on Cyber Security News.