FortiSwitchManager - Privilege Escalation (CVE-2025-59718)

CVE-2025-59718 is a critical vulnerability in multiple Fortinet products, including FortiOS, FortiProxy, and FortiSwitchManager, that stems from improper verification of cryptographic signatures. This flaw allows unauthenticated attackers to bypass FortiCloud SSO login authentication by submitting a crafted SAML response, potentially granting unauthorized access to sensitive systems and data. Attackers exploiting this vulnerability could compromise network security, escalate privileges, and perform further malicious actions within affected environments.

CrowdSec has been tracking this vulnerability and its exploits since 17th of December 2025.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2025-59718 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. CrowdSec network telemetry also shows that exploitation of CVE-2025-59718 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit this vulnerability by sending crafted SAMLResponse values via POST requests to the /remote/saml/login endpoint, attempting to bypass FortiCloud SSO authentication and gain administrative access.