Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN092
_____________________________________________________________________

DATE                : 28/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiOS versions prior to 7.6.6,
                             7.4.11, 7.2.13, 7.0.19,
                    FortiManager versions prior to 7.6.6, 7.4.10,
                                   7.2.13, 7.0.16,
                    FortiAnalyzer versions prior to 7.6.6, 7.4.10,
                                  7.2.12, 7.0.16,
                   FortiProxy versions prior to 7.6.6, 7.4.13,
                   FortiWeb versions prior to 8.0.4, 7.6.7, 7.4.12.

=====================================================================
https://www.fortiguard.com/psirt/FG-IR-26-060
_____________________________________________________________________

Administrative FortiCloud SSO authentication bypass


Summary

An Authentication Bypass Using an Alternate Path or Channel 
vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer, 
FortiProxy, FortiWeb may allow an attacker with a FortiCloud account 
and a registered device to log into other devices registered to other 
accounts, if FortiCloud SSO authentication is enabled on those devices.
Please note that the FortiCloud SSO login feature is not enabled in 
default factory settings. However, when an administrator registers the 
device to FortiCare from the device's GUI, unless the administrator 
disables the toggle switch "Allow administrative login using 
FortiCloud SSO" in the registration page, FortiCloud SSO login is 
enabled upon registration.

This vulnerability was found being exploited in the wild by two 
malicious FortiCloud accounts, which were locked out on 2026-01-22. In 
order to protect its customers from further exploit, Fortinet disabled 
FortiCloud SSO on FortiCloud side on 2026-01-26. It was re-enabled on 
2026-01-27 and no longer supports login from devices running 
vulnerable versions. Consequently, customers must upgrade to the 
latest versions listed below for the FortiCloud SSO authentication to 
function.

FortiManager Cloud, FortiAnalyzer Cloud, FortiGate Cloud are NOT 
impacted.

Setups with Custom IdP for SSO instead of FortiCloud are not impacted 
(including setups using FortiAuthenticator as the Custom IdP)
The following product is under investigation: FortiSwitch Manager


Version 	Affected 	Solution

FortiAnalyzer 7.6 	7.6.0 through 7.6.5 	Upgrade to upcoming 7.6.6 
or above
FortiAnalyzer 7.4 	7.4.0 through 7.4.9 	Upgrade to 7.4.10 or above
FortiAnalyzer 7.2 	7.2.0 through 7.2.11 	Upgrade to upcoming 7.2.12 
or above
FortiAnalyzer 7.0 	7.0.0 through 7.0.15 	Upgrade to upcoming 7.0.16 
or above
FortiAnalyzer 6.4 	Not affected 	Not Applicable
FortiManager 7.6 	7.6.0 through 7.6.5 	Upgrade to upcoming 7.6.6 
or above
FortiManager 7.4 	7.4.0 through 7.4.9 	Upgrade to 7.4.10 or above
FortiManager 7.2 	7.2.0 through 7.2.11 	Upgrade to upcoming 7.2.13 
or above
FortiManager 7.0 	7.0.0 through 7.0.15 	Upgrade to upcoming 7.0.16 
or above
FortiManager 6.4 	Not affected 	Not Applicable
FortiOS 8.0 	Not affected 	Not Applicable
FortiOS 7.6 	7.6.0 through 7.6.5 	Upgrade to upcoming 7.6.6 or 
above
FortiOS 7.4 	7.4.0 through 7.4.10 	Upgrade to 7.4.11 or above
FortiOS 7.2 	7.2.0 through 7.2.12 	Upgrade to upcoming 7.2.13 or 
above
FortiOS 7.0 	7.0.0 through 7.0.18 	Upgrade to upcoming 7.0.19 or 
above
FortiOS 6.4 	Not affected 	Not Applicable
FortiProxy 7.6 	7.6.0 through 7.6.4 	Upgrade to upcoming 7.6.6 or 
above
FortiProxy 7.4 	7.4.0 through 7.4.12 	Upgrade to upcoming 7.4.13 or 
above
FortiProxy 7.2 	7.2 all versions 	Migrate to a fixed release
FortiProxy 7.0 	7.0 all versions 	Migrate to a fixed release
FortiWeb 8.0 	8.0.0 through 8.0.3 	Upgrade to upcoming 8.0.4 or 
above
FortiWeb 7.6 	7.6.0 through 7.6.6 	Upgrade to upcoming 7.6.7 or 
above
FortiWeb 7.4 	7.4.0 through 7.4.11 	Upgrade to upcoming 7.4.12 or 
above
FortiWeb 7.2 	Not affected 	Not Applicable
FortiWeb 7.0 	Not affected 	Not Applicable

Follow the recommended upgrade path using our tool at: 
https://docs.fortinet.com/upgrade-tool


Workaround

FortiCloud SSO authentication no longer supports login from devices 
running vulnerable versions.

Therefore disabling FortiCloud SSO login on client side is not 
necessary at the moment. For reference, it can be nonetheless be done 
via the following:
On FortiOS and FortiProxy:
go to System -> Settings -> Switch "Allow administrative login using 
FortiCloud SSO" to Off. Or type the following command in CLI command 
line:

config system global
    set admin-forticloud-sso-login disable
end

On FortiManager and FortiAnalyzer:
go to System Settings -> SAML SSO -> Switch "Allow admins to login 
with FortiCloud" to Off. Or type the following command in CLI command 
line:

config system saml
    set forticloud-sso disable
end


Indicators of Compromise

SSO Login User Accounts

The actor has been observed to have logged in with the following user 
accounts.

cloud-noc@mail.io
cloud-init@mail.io
heltaylor.12@tutamail.com
support@openmail.pro

We expect these addresses may change in the future as action has been 
taken to neutralize these accounts.

IP Addresses

The actor has been observed to log in via multiple IP addresses and 
appears to have switched to use Cloudflare protected IPs.

104.28.244.115
104.28.212.114
104.28.212.115
104.28.195.105
104.28.195.106
104.28.227.106
104.28.227.105
104.28.244.114
163.61.198.15
104.28.244.116
38.54.6.28

Additional IPs observed by a third party, not Fortinet:

37[.]1.209.19
217[.]119.139.50

Malicious Local Account Creation

Following authentication via SSO, it has been observed that the actor 
creates a local admin account with one of the following names. This 
has changed through our analysis, so Fortinet recommends reviewing all 
admin accounts to look for any unexpected entries.

audit
backup
itadmin
secadmin
support
backupadmin
deploy
itadmin
remoteadmin
security
svcadmin
system
adccount

Attacker main operations:

    Download customer config file
    Add an admin account to get persistence


Timeline

2026-01-27: Initial publication


References

    
https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios


IR Number 	FG-IR-26-060
Published Date 	Jan 27, 2026
Component 	GUI
Severity 	Critical
CVSSv3 Score 	9.4
Impact 	Improper access control

CVE ID 	

Download 	

CVRF

CSAF

STIX

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================