MFA Bypass in GUI

Monitor6.8FG-IR-26-090Mar 10, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A multi-factor authentication (MFA) bypass vulnerability exists in FortiAnalyzer and FortiManager that allows high-privilege administrators to skip the second authentication factor through a timeout mechanism. Affected versions are FortiAnalyzer 7.2.2–7.2.11, 7.4.0–7.4.7, and 7.6.0–7.6.3, and FortiManager 7.2.2–7.2.11, 7.4.0–7.4.7, and 7.6.0–7.6.3. The vulnerability requires valid high-privilege credentials and network access to the web GUI.

What this means

What could happen

An administrator with high privileges could bypass multi-factor authentication (MFA) through a timeout mechanism, allowing unauthorized access to FortiAnalyzer or FortiManager without completing the second authentication factor. This could enable an attacker with valid admin credentials to gain full control of these critical management systems.

Who's at risk

Organizations using Fortinet FortiAnalyzer or FortiManager for centralized security management and log analysis. This affects system administrators and security teams who rely on these platforms to manage firewalls and security policies across their network infrastructure.

How it could be exploited

An attacker with valid high-privilege administrator credentials (such as from credential theft or a previous breach) can authenticate to the FortiAnalyzer or FortiManager web GUI, and then exploit the MFA timeout bypass to skip the second authentication factor. Once authenticated, the attacker can configure network policies, extract sensitive data, or alter security settings across managed devices.

Prerequisites

Valid high-privilege (administrator-level) credentials for the FortiAnalyzer or FortiManager system
Network access to the web GUI port (typically HTTPS)
Knowledge of the MFA timeout bypass mechanism

remotely exploitablerequires valid high-privilege credentialsaffects central management systemMFA bypass allows credential reuse

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

FortiAnalyzer7.6.0 - 7.6.37.6.4+

FortiAnalyzer7.4.0 - 7.4.77.4.8+

FortiAnalyzer7.2.2 - 7.2.11Migrate to fixed release

FortiManager7.6.0 - 7.6.37.6.4+

FortiManager7.4.0 - 7.4.77.4.8+

FortiManager7.2.2 - 7.2.11Migrate to fixed release

Remediation & Mitigation

0/7

Do now

0/1

FortiAnalyzer

HARDENINGRestrict network access to FortiAnalyzer and FortiManager web GUI ports to trusted management networks only; use firewall rules to limit inbound HTTPS access by IP address or VPN

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

FortiAnalyzer

HOTFIXUpdate FortiAnalyzer 7.6.x systems to version 7.6.4 or later

HOTFIXUpdate FortiAnalyzer 7.4.x systems to version 7.4.8 or later

HOTFIXMigrate FortiAnalyzer 7.2.2–7.2.11 systems to a fixed release (7.4.8+, 7.6.4+, or later)

FortiManager

HOTFIXUpdate FortiManager 7.6.x systems to version 7.6.4 or later

HOTFIXUpdate FortiManager 7.4.x systems to version 7.4.8 or later

HOTFIXMigrate FortiManager 7.2.2–7.2.11 systems to a fixed release (7.4.8+, 7.6.4+, or later)

CVEs (1)

CVE-2026-22572

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/62ad826b-0713-44fe-9a03-fe34a7041367

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.