Lack of TLS Certificate Validation during initial SSO Authentication

Monitor6.3FG-IR-26-078Mar 10, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

FortiAnalyzer and FortiManager do not properly validate the TLS certificate presented by FortiCloud during initial SSO authentication. An attacker positioned on the network path can present a forged certificate to intercept the authentication handshake and potentially gain unauthorized access to the management system.

What this means

What could happen

An attacker on the network path between your FortiAnalyzer or FortiManager and FortiCloud could intercept and modify the initial SSO authentication, potentially gaining administrator access to the management system.

Who's at risk

Organizations running FortiAnalyzer or FortiManager (versions 6.4 through 7.6.4) should care. These are centralized management and analytics systems often controlling firewall and threat prevention for multiple network segments. A compromise could allow an attacker to bypass security policies, access logs, or alter forwarding rules across your entire infrastructure.

How it could be exploited

An attacker must position themselves on the network path (e.g., via ARP spoofing, DNS poisoning, or BGP hijacking) between the FortiAnalyzer/FortiManager and FortiCloud during initial device registration. They present a forged TLS certificate that the device fails to validate, allowing them to intercept the SSO authentication handshake and capture or modify credentials before they reach FortiCloud.

Prerequisites

Network position between device and FortiCloud (man-in-the-middle capability)
Timing during initial device registration/first SSO authentication
Ability to present a fake TLS certificate that the device will accept

remotely exploitablemedium CVSS (6.3)user interaction required (during initial setup)affects management system

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (10)

10 with fix

ProductAffected VersionsFix Status

FortiAnalyzer7.6.0 - 7.6.47.6.5+

FortiAnalyzer7.4.0 - 7.4.87.4.9+

FortiAnalyzer7.2 all versionsMigrate to fixed release

FortiAnalyzer7.0 all versionsMigrate to fixed release

FortiAnalyzer6.4 all versionsMigrate to fixed release

FortiManager7.6.0 - 7.6.47.6.5+

FortiManager7.4.0 - 7.4.87.4.9+

FortiManager7.2 all versionsMigrate to fixed release

Remediation & Mitigation

0/7

Do now

0/1

HARDENINGEnsure initial device registration and SSO authentication occur over a network you control; isolate the registration process from untrusted network segments

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

FortiAnalyzer

HOTFIXUpdate FortiAnalyzer 7.6.x to version 7.6.5 or later

HOTFIXUpdate FortiAnalyzer 7.4.x to version 7.4.9 or later

HOTFIXMigrate FortiAnalyzer 7.2, 7.0, or 6.4 to version 7.6.5+ or 7.4.9+

FortiManager

HOTFIXUpdate FortiManager 7.6.x to version 7.6.5 or later

HOTFIXUpdate FortiManager 7.4.x to version 7.4.9 or later

HOTFIXMigrate FortiManager 7.2, 7.0, or 6.4 to version 7.6.5+ or 7.4.9+

CVEs (1)

CVE-2025-68482

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a35b93e-78be-4cc5-9375-7a94f023cc9d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.