FortiGuard PSIRT - Fortinet Products' FortiCloud SSO Login Authentication Bypass

CRITICAL (9.8)
cwe-347authentication-bypassfortinetfortiosfortiproxyfortiswitchmanagersamlvulnerability

Threat Intelligence

⚠️ CRITICAL GAP - Exploits exist but no detection available
EPSS Score: 0.09% chance of exploitation (percentile: 26%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: GitHub PoC

How we test →

What is it?

This vulnerability affects multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These products are used for network security, firewall management, and other enterprise applications. The vulnerability allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message, potentially gaining full administrative access to the system.

Am I affected?

You're affected if you use A improper verification of cryptographic signature vulnerability. Affected versions: 7.4.8, 7.0.17, 7.2.6, 7.6.3, 7.2.11, 7.4.10, 7.0.5, 7.0.21, 7.2.14 If you don't recognise this software, you're probably not affected.

How to fix

  1. Upgrade to a non-affected version:
  2. FortiOS: Upgrade to 7.6.4 or above.
  3. FortiProxy: Upgrade to 7.6.4 or above.
  4. FortiWeb: Upgrade to 8.0.1 or above.
  5. Immediate mitigations (if upgrade isn't possible):
  6. Restrict network access to your Fortinet devices.
  7. Audit admin account activity for suspicious access patterns.
  8. Monitor for unauthorized token creation.

References