FortiCloud SSO authentication bypass in FortiOS/FortiProxy/FortiSwitchManager via crafted SAML response

Repository purpose: a Python proof-of-concept exploit named “SCTT-0004 VORTEX / SCTT-2026-33-0004” claiming a Fortinet/FortiCloud SSO “temporal session collision” that can bypass mitigations for CVE-2026-24858 by repeatedly interacting with the SSO login flow using precisely timed delays across 33 “layers.” Structure: - README.md: High-level claim and usage instructions (run script with <target> and <token>; oscillate for 33 layers). - SCTT-0004-VORTEX.py: Main exploit/PoC implementation. Creates a requests.Session with TLS verification disabled, computes per-layer timing (“temporal resonance”), crafts SAML-assertion-like data structures per layer (NameID, Conditions, AuthnStatement, Fortinet identity attributes), and drives a multi-request sequence intended to cause an identity/session privilege collision. Includes an interactive authorization prompt and prints results. - SCTT-2026-33-0004.json: Metadata describing the claimed vulnerability, mapping to CWE-288/CWE-347, affected versions, and references to CVE-2026-24858 and CVE-2025-59718. - LICENSE: MIT. Exploit capabilities (as implemented/claimed): - Remote, network-based interaction with a FortiCloud/Fortinet SSO endpoint. - Timing-based request orchestration over 33 iterations to attempt authentication bypass / privilege escalation via session-table “collision.” - Post-condition check by requesting an admin resource path to infer elevated access. Notable observables: - Hardcoded relative paths: /remote/saml/login and /admin/dashboard. - SAML/Fortinet attribute URNs embedded in the crafted assertion structure. - No hardcoded C2 infrastructure; target is user-supplied. The code is more consistent with a PoC than a fully weaponized module (no robust target fingerprinting, limited error handling shown in the provided excerpt, and no configurable payload beyond the request sequence).

This repository contains a working proof-of-concept (PoC) exploit for CVE-2025-59718, a critical authentication bypass vulnerability in Fortinet products (FortiOS, FortiProxy, FortiSwitchManager) that use FortiCloud SSO. The exploit is implemented in a single Python script (CVE-2025-59718.py), which forges a malicious SAMLResponse XML payload impersonating an admin user. The script sends this payload to the target device's /remote/saml/login endpoint, exploiting improper SAML signature verification to gain administrative access without credentials. The README.md provides detailed vulnerability background, affected versions, mitigation advice, and usage instructions. The exploit is network-based, requires only the target's address, and if successful, returns a valid admin session cookie for further access. No detection or fake code is present; this is a real, functional exploit PoC.

This repository provides operational exploit code for CVE-2025-59718, a critical authentication bypass vulnerability affecting several Fortinet products (FortiOS, FortiProxy, FortiSwitchManager, FortiWeb) when FortiCloud SSO is enabled. The exploit consists of two Python scripts: - 'poc.py': A minimal proof-of-concept that forges a SAMLResponse, base64-encodes it, and submits it to the target's '/remote/saml/login' endpoint. If successful, it grants admin access and prints session cookies for browser use. - 'advanced-poc.py': An enhanced, multithreaded version supporting bulk targeting (single, list, or file input), custom usernames, and endpoints. It writes results to a file and is suitable for scanning multiple devices in parallel. Both scripts exploit improper SAML response validation by Fortinet devices, allowing an attacker to impersonate an admin user and gain full administrative access. The attack is fully remote, requires no prior authentication, and targets the SAML login endpoint (typically '/remote/saml/login'). The payload is a crafted SAMLResponse XML asserting a 'super_admin' role, signed as if from 'https://sso.forticloud.com'. No hardcoded IPs or domains are present; the scripts require the attacker to specify the target(s). The only fingerprintable endpoints are the SAML login path and the SAML issuer/audience fields. The repository is well-structured, with clear separation between the minimal and advanced PoC scripts, and includes a README summarizing the vulnerability and affected products.

This repository contains a working proof-of-concept exploit for CVE-2025-59718, a critical authentication bypass vulnerability in Fortinet products (FortiOS, FortiProxy, FortiSwitchManager) that use FortiCloud SSO. The exploit is implemented in a single Python script (CVE-2025-59718.py) which forges a SAMLResponse XML, base64-encodes it, and submits it to the target's /remote/saml/login endpoint. If the target is vulnerable and FortiCloud SSO is enabled, the script grants the attacker full administrative access by bypassing authentication. The README.md provides detailed background, affected versions, mitigation advice, and usage instructions. The exploit is network-based, requires no credentials, and targets widely deployed enterprise security appliances. No hardcoded IPs or domains are used; the script takes a user-supplied target address. The main fingerprintable endpoints are the SAML login path and the SAML issuer/audience values used in the payload.