Fortinet Under Fire: Understanding CVE-2025-59718 and CVE-2025-59719

Fortinet Under Fire: Understanding CVE-2025-59718 and CVE-2025-59719

A deep-dive into Fortinet’s latest vulnerabilities affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb.

Overview

Two new Fortinet vulnerabilities - CVE-2025-59718 affecting FortiOS, FortiProxy, and FortiSwitchManager, and CVE-2025-59719 affecting FortiWeb - have entered the security spotlight. Fortinet has now published an official PSIRT advisory (FG-IR-25-647), confirming that both vulnerabilities originate in the management plane, the same high-value surface that has historically produced critical authentication bypasses, remote code execution (RCE), and unauthorized configuration manipulation.

These flaws matter because Fortinet appliances sit directly in the security pathway of enterprise networks. They govern firewalls, proxies, switching fabrics, and web application protections. When this layer is compromised, attackers gain leverage not over a single device, but over the entire security fabric that organizations depend on.

The new advisory and emerging technical indicators point to authentication weaknesses and input-handling flaws, both of which may allow pre-authentication access or privilege escalation. This follows a long-running pattern seen in previous high-impact Fortinet vulnerabilities exploited by financially motivated groups and state-aligned threat actors.

How It Works

CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager)

CVE-2025-59718 traces back to improper authentication handling or session validation failures in the mechanisms that secure Fortinet’s centralized management operations. FortiOS and FortiProxy share authentication components and REST API infrastructure, while FortiSwitchManager extends that logic to switch provisioning and configuration workflows.

The flaw likely exists in one of these mechanisms:

  • A mis-implemented session token validation routine in the administrative HTTPS interface, allowing crafted requests to bypass authentication entirely.
  • A logic flaw in the REST API preventing proper permission enforcement, enabling unauthorized administrative actions.
  • A weakness in RPC/daemon communication, granting access to privileged execution paths without identity validation.

When exploited, the vulnerability grants attackers the ability to issue high-privilege administrative commands. This includes creating new admin accounts, modifying firewall and proxy policies, exporting sensitive configurations, and pushing malicious changes to managed switches across the network.

CVE-2025-59719 (FortiWeb)

CVE-2025-59719 affects the FortiWeb Web Application Firewall and appears to originate from insufficient input validation or unsafe object processing within its management interface or backend daemons. FortiWeb relies on structured configuration objects, internal parsing engines, and command-handling modules to translate administrative actions into system operations.

The vulnerability likely manifests through one of these pathways:

  • A deserialization flaw that allows FortiWeb to process untrusted objects leading to attacker-controlled code execution.
  • A backend service interpreting parameters as shell instructions, enabling command injection.
  • An API endpoint exposing privileged backend functionality without proper validation.

Successful exploitation grants attackers direct access to the underlying operating system of the FortiWeb appliance. This enables manipulation of WAF policies, tampering with inspection models, extraction of SSL certificates, altering logging behavior, and creating persistent backdoors.

Risks

For CVE-2025-59718, unauthorized access to FortiOS or FortiProxy allows attackers to fully reconfigure perimeter security posture. They can disable inspection engines, introduce malicious routing rules, export VPN configurations, or create covert admin accounts. Because FortiSwitchManager is affected, malicious configurations can propagate across switching infrastructure.

For CVE-2025-59719, remote code execution on FortiWeb enables attackers to bypass protections, intercept sensitive traffic, suppress logs, or implant malicious routing rules. If SSL offloading is enabled, private key exposure dramatically escalates impact.

Given the rapid weaponization of previous Fortinet vulnerabilities, widespread exploitation remains highly likely - even before public exploit code becomes available.

Real Life Example Usage

Although no confirmed exploitation of CVE-2025-59718 or CVE-2025-59719 has been published at the time of writing, prior incidents highlight how attackers leverage Fortinet management-plane weaknesses.

In 2023 and 2024, multiple APT groups exploited pre-authentication FortiOS flaws by scanning for exposed management interfaces and delivering crafted HTTP requests that bypassed authentication logic. Once inside, attackers extracted VPN configurations, created hidden admin accounts, and modified policies to maintain long-term persistence - often undetected for months.

The same pattern applies here. A threat actor could scan for vulnerable firmware versions and deliver tailored requests targeting the authentication or input-processing flaws. For CVE-2025-59718, this may yield instant administrative access. For CVE-2025-59719, a single malicious payload may trigger remote code execution, enabling interception of application traffic and backdoor implantation.

Recommendations

Organizations should ensure no management interface is exposed to untrusted networks. Restrict administrative access to dedicated management VPNs, enforce strict IP allowlists, and require MFA for all privileged accounts.

Apply Fortinet’s official patches as soon as possible.

For CVE-2025-59718

  • FortiOS: 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+
  • FortiProxy: 7.6.4+, 7.4.11+, 7.2.15+, 7.0.22+
  • FortiSwitchManager: 7.2.7+, 7.0.6+

For CVE-2025-59719 (FortiWeb)

  • 8.0.1+
  • 7.6.5+
  • 7.4.10+

Until patching is completed, disable the “Allow administrative login using FortiCloud SSO” feature unless strictly required. Monitor logs for suspicious activity such as failed logins, unexpected configuration changes, or new admin accounts.

Organizations using FortiWeb should validate WAF rules, inspection profiles, and SSL certificate stores. Any anomalies should trigger immediate incident response, including forensic review or full appliance rebuild.

Finally, incorporate these CVEs into SIEM detection rules, threat intelligence workflows, and continuous monitoring pipelines. Close coordination between SOC, network engineering, and architecture teams is essential for rapid containment.