Fortinet Disables FortiCloud SSO After Zero-Day Exploitation
Fortinet temporarily disabled its FortiCloud Single Sign-On (SSO) service following the active exploitation of a zero-day authentication bypass vulnerability (FG-IR-26-060) affecting multiple products. The flaw, classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288), allows attackers with a malicious FortiCloud account to gain unauthorized access to devices registered under other accounts.
The vulnerability impacts FortiOS, FortiManager, and FortiAnalyzer when FortiCloud SSO is enabled though not active by default, it is often enabled during FortiCare registration. Exploitation grants attackers administrative access, even on fully patched systems. While the issue also affects all SAML SSO implementations, attacks have so far been limited to FortiCloud SSO. FortiWeb and FortiSwitch Manager remain under investigation, with no confirmed patches available.
Affected Versions & Fixes
Fortinet has released fixed versions for impacted products, with many updates scheduled for January 27, 2026. Customers are advised to upgrade to the following versions:
- FortiAnalyzer: 7.6.6+, 7.4.10+, 7.2.12+, 7.0.16+
- FortiManager: 7.6.6+, 7.4.10+, 7.2.13+, 7.0.16+
- FortiOS: 7.6.6+, 7.4.11+, 7.2.13+, 7.0.19+
- FortiProxy: 7.6.6+, 7.4.13+ (migration required for 7.2/7.0)
Indicators of Compromise (IoCs)
Attackers leveraged specific FortiCloud accounts and IP addresses, including:
- Malicious SSO Accounts:
cloud-noc@mail[.]io,cloud-init@mail[.]io - Primary IPs:
104.28.244[.]115,104.28.212[.]114,104.28.195[.]105 - Suspicious Local Admins:
audit,backup,itadmin,secadmin,support
Key log patterns include successful SSO logins (logid="0100032001") from suspicious IPs and unauthorized admin account creations (logid="0100044547"). Post-exploitation, attackers downloaded configurations and installed backdoor admins for persistence.
Timeline & Response
- January 22, 2026: Fortinet detected exploitation and locked malicious accounts.
- January 26, 2026: FortiCloud SSO was disabled server-side.
- January 27, 2026: Service restored with blocks on vulnerable devices; PSIRT advisory FG-IR-26-060 published.
This incident follows December 2025 advisories (FG-IR-25-647) on related SSO bypasses (CVE-2025-59718, CVE-2025-59719), which were patched in some branches but bypassed via a new attack vector. No CVSS score has been assigned, as the flaw remains a zero-day without a CVE.
Mitigation steps include restricting admin access to trusted IPs, disabling FortiCloud SSO if necessary, and monitoring for further updates from Fortinet’s PSIRT. Post-compromise actions involve firmware upgrades, config restoration, credential rotation, and auditing VPN/LDAP integrations.
Source: https://cybersecuritynews.com/fortinet-disabled-forticloud-sso-0-day/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1769585582",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Customers using FortiOS, '
'FortiManager, FortiAnalyzer, '
'FortiProxy with FortiCloud SSO '
'enabled',
'industry': 'Information Technology',
'name': 'Fortinet',
'type': 'Cybersecurity Company'}],
'attack_vector': 'Malicious FortiCloud account',
'customer_advisories': 'Upgrade to fixed versions, monitor for IoCs, restrict '
'admin access, disable FortiCloud SSO if unnecessary',
'data_breach': {'data_exfiltration': 'Potential (attackers downloaded '
'configurations)',
'file_types_exposed': 'Configuration files',
'sensitivity_of_data': 'High (administrative access, backdoor '
'installations)',
'type_of_data_compromised': 'Device configurations, '
'administrative credentials'},
'date_detected': '2026-01-22',
'date_publicly_disclosed': '2026-01-27',
'description': 'Fortinet temporarily disabled its FortiCloud Single Sign-On '
'(SSO) service following the active exploitation of a zero-day '
'authentication bypass vulnerability (FG-IR-26-060) affecting '
'multiple products. The flaw allows attackers with a malicious '
'FortiCloud account to gain unauthorized access to devices '
'registered under other accounts, granting administrative '
'access even on fully patched systems.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'zero-day exploitation',
'data_compromised': 'Device configurations, administrative access',
'downtime': 'FortiCloud SSO service temporarily disabled '
'(2026-01-26 to 2026-01-27)',
'operational_impact': 'Unauthorized administrative access, '
'potential data exfiltration, backdoor '
'installations',
'systems_affected': 'FortiOS, FortiManager, FortiAnalyzer, '
'FortiProxy (under investigation: FortiWeb, '
'FortiSwitch Manager)'},
'initial_access_broker': {'backdoors_established': 'Installed backdoor admin '
'accounts (e.g., audit, '
'backup, itadmin, '
'secadmin, support)',
'entry_point': 'Malicious FortiCloud accounts '
'(e.g., cloud-noc@mail[.]io, '
'cloud-init@mail[.]io)',
'high_value_targets': 'Administrative access to '
'Fortinet devices'},
'investigation_status': 'Ongoing (FortiWeb and FortiSwitch Manager under '
'investigation)',
'lessons_learned': 'Zero-day vulnerabilities in authentication mechanisms can '
'lead to severe unauthorized access. Proactive monitoring, '
'rapid response, and timely patching are critical. '
'Disabling non-essential services (e.g., FortiCloud SSO) '
'during active exploitation can mitigate risks.',
'post_incident_analysis': {'corrective_actions': 'Released patches, disabled '
'vulnerable service, blocked '
'malicious accounts, '
'published IoCs and '
'mitigation guidance',
'root_causes': 'Zero-day authentication bypass '
'vulnerability (CWE-288) in '
'FortiCloud SSO implementation'},
'recommendations': ['Upgrade to fixed versions of FortiOS, FortiManager, '
'FortiAnalyzer, and FortiProxy',
'Restrict administrative access to trusted IP addresses',
'Disable FortiCloud SSO if not required',
'Rotate credentials and audit VPN/LDAP integrations '
'post-compromise',
'Monitor for IoCs (malicious accounts, suspicious IPs, '
'unauthorized admin creations)',
'Restore configurations from backups and verify system '
'integrity'],
'references': [{'date_accessed': '2026-01-27',
'source': 'Fortinet PSIRT Advisory'}],
'response': {'communication_strategy': 'Published PSIRT advisory '
'FG-IR-26-060, provided mitigation '
'steps and IoCs',
'containment_measures': 'Disabled FortiCloud SSO server-side, '
'locked malicious accounts, blocked '
'vulnerable devices',
'enhanced_monitoring': 'Monitoring for suspicious logins and '
'unauthorized admin account creations',
'incident_response_plan_activated': True,
'network_segmentation': 'Recommended restricting admin access to '
'trusted IPs',
'recovery_measures': 'Restored FortiCloud SSO service with '
'blocks on vulnerable devices',
'remediation_measures': 'Released fixed versions for affected '
'products, advised firmware upgrades, '
'credential rotation, and configuration '
'restoration'},
'stakeholder_advisories': 'Fortinet PSIRT advisory FG-IR-26-060, mitigation '
'steps for customers',
'title': 'Fortinet Disables FortiCloud SSO After Zero-Day Exploitation',
'type': 'Authentication Bypass',
'vulnerability_exploited': 'FG-IR-26-060 (CWE-288: Authentication Bypass '
'Using an Alternate Path or Channel)'}