Fortinet Temporarily Disables FortiCloud SSO Amid Active Exploitation of Zero-Day Vulnerability
In response to the active exploitation of a zero-day authentication bypass vulnerability, Fortinet has temporarily disabled its FortiCloud Single Sign-On (SSO) service. This critical flaw, identified as FG-IR-26-060, enables attackers with malicious FortiCloud accounts to gain unauthorized access to devices registered under different accounts.
Understanding the Vulnerability
The root cause of this vulnerability is an Authentication Bypass Using an Alternate Path or Channel (CWE-288). It affects FortiOS, FortiManager, and FortiAnalyzer products when FortiCloud SSO is enabled. Although this feature is not activated by default, it is often enabled during FortiCare registration unless administrators explicitly disable it.
Exploitation of this flaw allows attackers to obtain administrative access to targeted devices, even those that have been fully patched against previous related vulnerabilities. While the issue also impacts all SAML SSO implementations, current exploitation has been confined to FortiCloud SSO.
Products Under Investigation
FortiWeb and FortiSwitch Manager are currently under investigation to determine their susceptibility to this vulnerability. As of now, no patches have been confirmed for these products.
Affected Versions and Recommended Actions
Fortinet has identified multiple product versions affected by this vulnerability and has provided guidance on necessary upgrades:
– FortiAnalyzer:
– Versions 7.6.0 through 7.6.5: Upgrade to 7.6.6 or later.
– Versions 7.4.0 through 7.4.9: Upgrade to 7.4.10 or later.
– Versions 7.2.0 through 7.2.11: Upgrade to 7.2.12 or later.
– Versions 7.0.0 through 7.0.15: Upgrade to 7.0.16 or later.
– Version 6.4: Not affected.
– FortiManager:
– Versions 7.6.0 through 7.6.5: Upgrade to 7.6.6 or later.
– Versions 7.4.0 through 7.4.9: Upgrade to 7.4.10 or later.
– Versions 7.2.0 through 7.2.11: Upgrade to 7.2.13 or later.
– Versions 7.0.0 through 7.0.15: Upgrade to 7.0.16 or later.
– Version 6.4: Not affected.
– FortiOS:
– Versions 7.6.0 through 7.6.5: Upgrade to 7.6.6 or later.
– Versions 7.4.0 through 7.4.10: Upgrade to 7.4.11 or later.
– Versions 7.2.0 through 7.2.12: Upgrade to 7.2.13 or later.
– Versions 7.0.0 through 7.0.18: Upgrade to 7.0.19 or later.
– Version 6.4: Not affected.
– FortiProxy:
– Versions 7.6.0 through 7.6.4: Upgrade to 7.6.6 or later.
– Versions 7.4.0 through 7.4.12: Upgrade to 7.4.13 or later.
– All versions of 7.2 and 7.0: Migrate to a fixed release.
Administrators are advised to consult Fortinet’s upgrade tool for detailed guidance on the recommended upgrade paths.
Indicators of Compromise (IoCs)
Fortinet has identified specific indicators that may suggest exploitation of this vulnerability:
– Suspicious FortiCloud SSO User Accounts:
– cloud-noc@mail[.]io
– cloud-init@mail[.]io
– Malicious IP Addresses:
– Primary:
– 104.28.244[.]115
– 104.28.212[.]114
– 104.28.212[.]115
– 104.28.195[.]105
– 104.28.195[.]106
– 104.28.227[.]106
– 104.28.227[.]105
– 104.28.244[.]114
– Other:
– 37.1.209[.]19
– 217.119.139[.]50
– Unauthorized Local Administrator Accounts:
– audit
– backup
– itadmin
– secadmin
– support
– backupadmin
– deploy
– remoteadmin
– security
– svcadmin
– system
Administrators should scrutinize logs for successful SSO logins (logid=”0100032001″) originating from these IP addresses and the creation of new administrator accounts (logid=”0100044547″). Post-exploitation activities may include downloading device configurations and establishing backdoor administrator accounts to maintain persistent access.
Timeline of Events and Fortinet’s Response
– January 22, 2026: Fortinet identified and locked malicious FortiCloud accounts following the detection of active exploitation.
– January 26, 2026: The company temporarily disabled the FortiCloud SSO service to prevent further exploitation.
– January 27, 2026: FortiCloud SSO was reinstated with additional security measures, including blocking access from vulnerable devices.
– January 27, 2026: Fortinet published PSIRT advisory FG-IR-26-060, detailing the vulnerability and recommended actions.
This incident follows previous advisories issued in December 2025 (FG-IR-25-647) concerning related SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). Although patches were released for these earlier issues, attackers have exploited a new vector to bypass existing protections.
Immediate Recommendations for Administrators
To mitigate the risk associated with this vulnerability, administrators should:
1. Restrict Administrative Access: Implement local-in policies to limit administrative access to trusted IP addresses.
2. Disable FortiCloud SSO if Unnecessary: If FortiCloud SSO is not essential, disable it using the following commands:
– For FortiOS/FortiProxy:
“`
config system global
set admin-forticloud-sso-login disable
end
“`
– For FortiManager/FortiAnalyzer:
“`
config system saml
set forticloud-sso disable
end
“`
3. Post-Compromise Actions: If a system is suspected to be compromised:
– Upgrade firmware to the latest patched version.
– Restore configurations from a clean backup.
– Rotate all administrative credentials.
– Audit VPN and LDAP configurations for unauthorized changes.
4. Stay Informed: Monitor Fortinet’s Product Security Incident Response Team (PSIRT) advisories for updates and patches.
As of now, a Common Vulnerabilities and Exposures (CVE) identifier has not been assigned to this zero-day vulnerability, and a Common Vulnerability Scoring System (CVSS) score is pending.
