Critical Fortinet Vulnerability Allows Attackers to Bypass FortiCloud SSO Authentication
On December 9, 2025, Fortinet disclosed a critical security vulnerability affecting several of its products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. This flaw, identified as an Improper Verification of Cryptographic Signature (CWE-347), enables unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) authentication, potentially granting unauthorized administrative access to affected devices.
Vulnerability Details
The root cause of this vulnerability lies in the improper verification of signatures within Security Assertion Markup Language (SAML) messages. By crafting a specific SAML message, an attacker can exploit this flaw to gain administrative control over the device without needing valid credentials. This issue was internally discovered by Fortinet’s Product Security team members, Yonghui Han and Theo Leleu, and publicly disclosed on December 9, 2025.
Affected Products and Versions
The vulnerability impacts the following Fortinet products and versions:
– FortiOS:
– Versions 7.6.0 through 7.6.3
– Versions 7.4.0 through 7.4.8
– Versions 7.2.0 through 7.2.11
– Versions 7.0.0 through 7.0.17
– FortiProxy:
– Versions 7.6.0 through 7.6.3
– Versions 7.4.0 through 7.4.10
– Versions 7.2.0 through 7.2.14
– Versions 7.0.0 through 7.0.21
– FortiSwitchManager:
– Versions 7.2.0 through 7.2.6
– Versions 7.0.0 through 7.0.5
– FortiWeb:
– Version 8.0.0
– Versions 7.6.0 through 7.6.4
– Versions 7.4.0 through 7.4.9
Risk Assessment
While the FortiCloud SSO login feature is not enabled by default, it becomes active when an administrator registers a device to FortiCare using the graphical user interface (GUI). During this process, the Allow administrative login using FortiCloud SSO option is toggled on by default. If the administrator does not explicitly disable this feature during registration, the device becomes susceptible to this authentication bypass vulnerability.
Mitigation and Remediation
Fortinet strongly recommends that customers upgrade to the latest versions to address this vulnerability. The following table outlines the affected versions and the corresponding updates required:
| Product | Affected Versions | Remediation |
|———————|—————————–|————————————-|
| FortiOS | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| | 7.0.0 through 7.0.17 | Upgrade to 7.0.18 or above |
| FortiProxy | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| | 7.2.0 through 7.2.14 | Upgrade to 7.2.15 or above |
| | 7.0.0 through 7.0.21 | Upgrade to 7.0.22 or above |
| FortiSwitchManager | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
| FortiWeb | 8.0.0 | Upgrade to 8.0.1 or above |
| | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
For organizations unable to apply the patches immediately, a temporary workaround is available. Administrators can mitigate the risk by disabling the FortiCloud login feature. This can be done by accessing the device’s administrative settings and turning off the Allow administrative login using FortiCloud SSO option.
Recommendations
1. Immediate Patching: Organizations should prioritize upgrading their Fortinet devices to the recommended versions to mitigate the risk associated with this vulnerability.
2. Review Administrative Settings: Administrators should review the FortiCloud SSO login settings on all devices to ensure that the feature is disabled if not in use.
3. Monitor for Unauthorized Access: Implement monitoring mechanisms to detect any unauthorized access attempts or unusual administrative activities on Fortinet devices.
4. Educate IT Staff: Ensure that IT personnel are aware of this vulnerability and understand the steps required to secure affected devices.
Conclusion
The discovery of this critical vulnerability underscores the importance of regular security assessments and prompt application of patches. Organizations utilizing Fortinet products should take immediate action to secure their systems against potential exploitation. By following the recommended remediation steps and maintaining vigilant security practices, organizations can protect their networks from unauthorized access and potential breaches.
