Administrative FortiCloud SSO authentication bypass
Act Now9.4FG-IR-26-060Jan 27, 2026
Fortinet
IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
FortiCloud SSO login authentication bypass in FortiAnalyzer, FortiManager, FortiOS, FortiProxy, and FortiWeb. An attacker can bypass FortiCloud single sign-on authentication and gain unauthorized administrative access to affected devices without valid credentials. The vulnerability affects versions 7.0 through 7.6 across multiple product lines. All affected products have patches available from Fortinet.
What this means
What could happen
An attacker could bypass FortiCloud single sign-on authentication and gain unauthorized administrative access to FortiAnalyzer, FortiManager, FortiOS, FortiProxy, or FortiWeb devices without valid credentials. This allows them to modify security policies, access logs and sensitive data, or disrupt network operations.
Who's at risk
Water and utility operators running FortiAnalyzer, FortiManager, or FortiOS devices as security appliances or management platforms should prioritize patching immediately. FortiProxy and FortiWeb deployments used to protect SCADA networks or critical process applications are also at risk. Any organization using FortiCloud SSO for device authentication is vulnerable.
How it could be exploited
An attacker sends a specially crafted request to the FortiCloud SSO authentication endpoint. The vulnerability allows the request to bypass authentication checks and gain administrative access directly. No valid credentials, multi-factor authentication, or network position is required—the attack works over the internet from any network location.
Prerequisites
- Network access to the device's FortiCloud SSO authentication interface (typically port 443/HTTPS)
- Device must have FortiCloud SSO authentication enabled
- No valid credentials required
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.4)critical severityauthentication bypass
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (19)
19 with fix
ProductAffected VersionsFix Status
FortiAnalyzer7.6.0 - 7.6.57.6.6+
FortiAnalyzer7.4.0 - 7.4.97.4.10+
FortiAnalyzer7.2.0 - 7.2.117.2.12+
FortiAnalyzer7.0.0 - 7.0.157.0.16+
FortiManager7.6.0 - 7.6.57.6.6+
Remediation & Mitigation
0/7
Do now
0/7FortiAnalyzer
HOTFIXUpdate FortiAnalyzer to version 7.6.6 or later, 7.4.10 or later, 7.2.12 or later, or 7.0.16 or later depending on your current version
FortiManager
HOTFIXUpdate FortiManager to version 7.6.6 or later, 7.4.10 or later, 7.2.12 or later, or 7.0.16 or later depending on your current version
FortiOS
HOTFIXUpdate FortiOS to version 7.6.6 or later, 7.4.11 or later, 7.2.13 or later, or 7.0.19 or later depending on your current version
FortiProxy
HOTFIXUpdate FortiProxy to version 7.6.5 or later, 7.4.13 or later, 7.2.16 or later, or 7.0.23 or later depending on your current version
FortiWeb
HOTFIXUpdate FortiWeb to version 8.0.4 or later, 7.6.7 or later, or 7.4.12 or later depending on your current version
All products
WORKAROUNDIf immediate patching is not possible, disable FortiCloud SSO authentication and switch to local authentication until patches can be applied
HARDENINGRestrict network access to the administrative interfaces of affected devices to trusted management networks only using firewall rules
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3b2df4b0-1f3c-4175-bd69-fabb4bb578c6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.