PSIRTAdministrative FortiCloud SSO authentication bypass
Summary
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiSwitchManager, FortiWeb may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page, FortiCloud SSO login is enabled upon registration.
This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on 2026-01-22. In order to protect its customers from further exploit, Fortinet disabled FortiCloud SSO on FortiCloud side on 2026-01-26. It was re-enabled on 2026-01-27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions listed below for the FortiCloud SSO authentication to function.
FortiManager Cloud, FortiAnalyzer Cloud, FortiGate Cloud are NOT impacted.
Setups with Custom IdP for SSO instead of FortiCloud are not impacted (including setups using FortiAuthenticator as the Custom IdP)
| Version | Affected | Solution |
|---|---|---|
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiAnalyzer 6.4 | Not affected | Not Applicable |
| FortiManager 8.0 | Not affected | Not Applicable |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiManager 6.4 | Not affected | Not Applicable |
| FortiOS 8.0 | Not affected | Not Applicable |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to 7.0.19 or above |
| FortiOS 6.4 | Not affected | Not Applicable |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to 7.4.13 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.15 | Upgrade to 7.2.16 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.22 | Upgrade to 7.0.23 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.8 | Upgrade to 7.2.9 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.7 | Upgrade to upcoming 7.0.8 or above |
| FortiWeb 8.0 | 8.0.0 through 8.0.3 | Upgrade to 8.0.4 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.6 | Upgrade to 7.6.7 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.11 | Upgrade to 7.4.12 or above |
| FortiWeb 7.2 | Not affected | Not Applicable |
| FortiWeb 7.0 | Not affected | Not Applicable |
Workaround
FortiCloud SSO authentication no longer supports login from devices running vulnerable versions.
Therefore disabling FortiCloud SSO login on client side is not necessary at the moment. For reference, it can be nonetheless be done via the following:
On FortiOS and FortiProxy:
go to System -> Settings -> Switch "Allow administrative login using FortiCloud SSO" to Off. Or type the following command in CLI command line:
config system global
set admin-forticloud-sso-login disable
end
On FortiManager and FortiAnalyzer:
go to System Settings -> SAML SSO -> Switch "Allow admins to login with FortiCloud" to Off. Or type the following command in CLI command line:
config system saml
set forticloud-sso disable
end
Indicators of Compromise
SSO Login User Accounts
The actor has been observed to have logged in with the following user accounts.
cloud-noc@mail.io
cloud-init@mail.io
heltaylor.12@tutamail.com
support@openmail.pro
We expect these addresses may change in the future as action has been taken to neutralize these accounts.
IP Addresses
The actor has been observed to log in via multiple IP addresses and appears to have switched to use Cloudflare protected IPs.
104.28.244.115
104.28.212.114
104.28.212.115
104.28.195.105
104.28.195.106
104.28.227.106
104.28.227.105
104.28.244.114
163.61.198.15
104.28.195.106
104.28.244.116
38.54.6.28
Additional IPs observed by a third party, not Fortinet:
37[.]1.209.19
217[.]119.139.50
Malicious Local Account Creation
Following authentication via SSO, it has been observed that the actor creates a local admin account with one of the following names. This has changed through our analysis, so Fortinet recommends reviewing all admin accounts to look for any unexpected entries.
audit
backup
itadmin
secadmin
support
backupadmin
deploy
remoteadmin
security
svcadmin
system
adccount
Attacker main operations:
- Download customer config file
- Add an admin account to get persistence
Timeline
2026-01-27: Initial publication