Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-59719 -- CVSS 9.8 Vulnerability Briefing

CVE-2025-59719 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2025-59719 is an improper cryptographic signature verification vulnerability in Fortinet FortiWeb's FortiCloud SSO authentication flow, affecting the SAML-based login mechanism across multiple supported versions of the web application firewall platform.

Technical Detail

The flaw exists in FortiWeb's handling of SAML response messages during FortiCloud SSO authentication: the product fails to properly verify the cryptographic signature of incoming SAML assertions, allowing an attacker to craft a malicious SAML response that the system accepts as legitimate. An unauthenticated remote attacker can exploit this by submitting a specially crafted SAML response to the FortiCloud SSO login endpoint, bypassing authentication entirely without valid credentials. Successful exploitation grants the attacker unauthorized access to the FortiWeb management interface, with the potential to reconfigure web application firewall policies, expose protected backend applications, or pivot further into the environment.

Exploitation Status

A proof-of-concept exploit is publicly available for this vulnerability. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active in-the-wild exploitation has not been officially confirmed as of this writing. However, the availability of a PoC combined with the critical CVSS score of 9.8 and the unauthenticated attack vector significantly elevates the risk of exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No known campaigns or targeted sector activity has been linked to this CVE in available intelligence. Given that FortiWeb is widely deployed in enterprise and government environments as a perimeter security control, opportunistic actors as well as more targeted intrusion sets with a history of exploiting Fortinet products should be considered plausible threats.

What To Do

Organizations running FortiWeb 8.0.0, 7.6.0 through 7.6.4, or 7.4.0 through 7.4.9 should treat patching as an immediate priority given the critical severity rating and unauthenticated attack surface. Apply the vendor-supplied fix from Fortinet as soon as it is available and validated for your environment. As an interim measure, restrict access to the FortiWeb management interface and FortiCloud SSO login endpoints to trusted IP ranges only, and disable FortiCloud SSO if it is not operationally required. Monitor authentication logs for anomalous SAML assertion activity or unexpected successful logins from unrecognized sources. Review Fortinet's official advisory for specific fixed version numbers and any additional vendor-recommended mitigations.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →