Fortinet Blocks Exploited FortiCloud SSO Zero Day Vulnerability

Fortinet Blocks Exploited FortiCloudSSO Zero Day Vulnerability

VTA-004554 – Fortinet Blocks Exploited FortiCloudSSO Zero Day Vulnerability

Fortinet has disclosed a critical authentication bypass vulnerability in its FortiCloud SSO feature, actively exploited in the wild across FortiOS, FortiManager, FortiAnalyzer and FortiProxy products. Dubbed CWE-288 (Authentication Bypass Using an Alternate Path or Channel), the flaw lets attackers with a compromised FortiCloud account and one registered device impersonate admins on unrelated devices if SSO is enabled. Fortinet spotted two malicious accounts abusing this starting late January 2026, prompting them to lock the accounts on January 22, disable SSO cloud-side on January 26 and re-enable it the next day with blocks on vulnerable firmware.

What sets this apart from garden-variety credential stuffing or brute-force attacks is its elegant exploitation of vendor-managed SSO trust assumptions in a security product ecosystem. Attackers don’t crack passwords or phish, they leverage legitimate FortiCloud credentials plus device registration to “channel surf” into other tenants’ firewalls and managers, downloading configs for reconnaissance and planting backdoor admin accounts like “itadmin” or “secadmin.” This horizontal privilege escalation via cloud-device linkage is rarer than typical lateral movement in networks, turning Fortinet’s own convenience feature into a super-spreader for persistence across customer environments.

Affected versions span FortiOS 7.6.0-7.6.5, 7.4.0-7.4.10 and older branches down to 7.0, similar for FortiManager/FortiAnalyzer and FortiProxy (all 7.2/7.0). Fortinet’s rapid takedown neutralized immediate threats, but unpatched devices risk config theft and backdoors until upgraded. Under investigation, FortiWeb and FortiSwitch Manager. This incident underscores SSO pitfalls in appliance fleets prioritize firmware hygiene and segment cloud auth to thwart such “authorized” intrusions.

Severity:
High

Attack Surface:
Cloud Service

Tactics:
Credential Access, Defense Evasion, Initial Access, Persistence

Techniques:
T1078 – Valid Accounts
T1556 – Modify Authentication Process
T1098 – Account Manipulation
T1562.001 – Impair Defenses

Indicator of Compromise:
https://otx.alienvault.com/pulse/69798a3dd3ebdbb041c73386

References:
1. https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
2. https://www.fortiguard.com/psirt/FG-IR-26-060

SuperPRO’s Threat Countermeasures Procedures:
1. Review all SSO-mapped administrative accounts on FortiGate devices and remove unnecessary privileged roles.
2. Restrict SSO usage for admin access only to required identity providers and enforce least-privilege role mappings.
3. Enable and monitor FortiOS administrative event logs for SSO login activity and configuration changes made via SSO-authenticated accounts
4. Enforce multi-factor authentication (MFA) on all FortiGate administrative access, including SSO-based logins.
5. Regularly audit firewall configuration snapshots to detect unauthorized policy or routing changes.
6. Apply Fortinet’s PSIRT guidance for FG-IR-26-060, including hardening recommendations for FortiOS management interfaces.

Contributed by: Thivya