Full Report
Fortinet has published information on vulnerabilities in FortiOS. This advisory lists the related Siemens Industrial products. Siemens is preparing fix versions and recommends to consult and implement the workarounds provided in Fortinet’s upstream security notifications.
Analysis Summary
# Vulnerability: Multiple FortiOS Vulnerabilities in RUGGEDCOM APE1808
## CVE Details
This advisory covers several vulnerabilities. High-impact identifiers include:
- **CVE-2025-59718 / CVE-2025-59719**: CVSS 9.8 (Critical) | CWE-347 (Improper Verification of Cryptographic Signature)
- **CVE-2024-55599**: CVSS Score (Not fully listed, but critical impact) | CWE-358 (Improperly Implemented Security Check)
- **CVE-2024-50562**: CVSS 4.8 (Medium) | CWE-613 (Insufficient Session Expiration)
- **CVE-2024-52963**: CVSS 3.7 (Low) | CWE-787 (Out-of-bounds Write)
- **CVE-2024-32122**: CVSS 2.3 (Low) | CWE-522 (Insufficiently Protected Credentials)
## Affected Systems
- **Products**: Siemens RUGGEDCOM APE1808 (Application Hosting Platform)
- **Versions**: All versions utilizing Fortinet NGFW (Next-Generation Firewall) components.
- **Configurations**:
- Systems with FortiCloud SSO login enabled.
- Systems with Managed FortiAPs enabled.
- SSL-VPN portal configurations.
## Vulnerability Description
The primary threats involve **SAML Authentication Bypasses** (CVE-2025-59718/59719), where unauthenticated attackers can bypass FortiCloud SSO by crafting malicious SAML responses due to improper cryptographic signature verification. Other flaws include an **Out-of-bounds Write** in the packet processing engine (CVE-2024-52963) leading to Denial of Service, and a **Session Management flaw** (CVE-2024-50562) allowing re-use of expired SSL-VPN cookies.
## Exploitation
- **Status**:
- CVE-2024-52963: Proof of Concept (PoC) available / Functional exploit exists.
- CVE-2024-50562: PoC available.
- Critical SAML bypasses: Not currently reported as exploited in the wild, but high risk.
- **Complexity**: Low (for SAML bypasses and session reuse) to High (for DoS via crafted packets).
- **Attack Vector**: Network (Remote) for the majority of severe flaws; Local for credential retrieval (CVE-2024-32122).
## Impact
- **Confidentiality**: High (Authentication bypasses allow full system access).
- **Integrity**: High (Unauthorized configuration changes via bypassed admin access).
- **Availability**: Medium (DoS potential via malformed packets).
## Remediation
### Patches
Siemens is currently **preparing fix versions**. Users should monitor the Siemens ProductCERT portal for the release of firmware updates for the RUGGEDCOM APE1808.
### Workarounds
- **For SAML/FortiCloud (CVE-2025-59718/19)**: Disable the FortiCloud login feature (it is disabled by default).
- **For Managed FortiAPs (CVE-2025-58413)**: Disable security fabric access on the interface. Remove `inter-controller-peer` elements in the wireless controller configuration.
- **General**: Restrict network access to the management interfaces and follow Siemens' Operational Guidelines for Industrial Security.
## Detection
- **Indicators of Compromise**: Monitor logs for unauthorized logins via FortiCloud SSO or SAML response anomalies.
- **Detection methods**: Audit `config wireless-controller` settings and review SSL-VPN session logs for suspicious re-authentication events using old session IDs.
## References
- Siemens Security Advisory: hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-864900[.]html
- Fortinet PSIRT Advisories: hxxps://fortiguard[.]fortinet[.]com/psirt/
- Siemens Industrial Security Guidelines: hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security