The issue, tracked as FG-IR-26-060, allows attackers with a malicious FortiCloud account to log into devices registered to other accounts.
The flaw stems from an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288). It impacts FortiOS, FortiManager, and FortiAnalyzer when FortiCloud SSO is enabled, a feature not active by default but often toggled on during FortiCare registration unless explicitly disabled.
Attackers exploit this to gain administrative access on targeted devices, even those fully patched against prior related issues. Fortinet notes the vulnerability also affects all SAML SSO implementations, though exploitation has been limited to FortiCloud SSO so far.
Products FortiWeb and FortiSwitch Manager remain under investigation, with no confirmed patches yet.
Multiple version branches across affected products require upgrades to mitigate the issue. Fortinet has outlined specific fixed releases, many upcoming as of January 27, 2026.
| Product | Affected Versions | Solution |
|---|---|---|
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiAnalyzer 6.4 | Not affected | N/A |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.13 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiManager 6.4 | Not affected | N/A |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to 7.0.19 or above |
| FortiOS 6.4 | Not affected | N/A |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.6 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to 7.4.13 or above |
| FortiProxy 7.2 | All versions | Migrate to fixed release |
| FortiProxy 7.0 | All versions | Migrate to fixed release |
Customers should use Fortinet’s upgrade tool for the recommended paths.
Attackers used specific FortiCloud accounts, IP addresses, and post-exploitation tactics. Fortinet urges reviewing logs and admin accounts for these signs.
| Category | IoCs |
|---|---|
| SSO User Accounts | cloud-noc@mail[.]io, cloud-init@mail[.]io |
| IP Addresses (Primary) | 104.28.244[.]115, 104.28.212[.]114, 104.28.212[.]115, 104.28.195[.]105, 104.28.195[.]106, 104.28.227[.]106, 104.28.227[.]105, 104.28.244[.]114 |
| IP Addresses (Other) | 37.1.209[.]19, 217.119.139[.]50 |
| Malicious Local Admins | audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system |
Key log patterns include successful SSO logins (logid=”0100032001″) from suspicious IPs and admin creations (logid=”0100044547″). Post-breach, actors downloaded configs and added backdoor admins for persistence.
Fortinet locked malicious accounts on January 22, 2026, after detecting wild exploitation. The company disabled the FortiCloud SSO server-side on January 26, restoring it on January 27 with blocks on vulnerable devices. PSIRT advisory FG-IR-26-060 published same day.
This follows December 2025 advisories (FG-IR-25-647) on related SSO bypasses (CVE-2025-59718, CVE-2025-59719), fixed in some branches but bypassed here via a new path.
Immediate actions include restricting admin access via local-in policies to trusted IPs and disabling FortiCloud SSO if needed. CLI for FortiOS/FortiProxy: config system global; set admin-forticloud-sso-login disable; end. For FortiManager/FortiAnalyzer: config system saml; set forticloud-sso disable; end.
Post-compromise: Upgrade firmware, restore clean configs, rotate credentials, and audit VPN/LDAP ties. Monitor Fortinet PSIRT for patches. No CVSS score yet, as a zero-day without a CVE assignment.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Fortinet Disables FortiCloud SSO Following 0-day Vulnerability Exploited in the Wild appeared first on Cyber Security News.
Mobile Swipe Menu is a vanilla JavaScript library that creates touch-enabled off-canvas side menus for…
tiks is a JavaScript sound effect library that generates iOS-like UI audio feedback at runtime…
LANSING, MI (WOWO) A broad coalition of business groups, housing advocates and environmental organizations is…
LANSING, MI (WOWO) Michigan lawmakers are advancing a series of proposals aimed at reforming the…
A group of unauthorized users has reportedly breached access controls surrounding Claude Mythos Preview, Anthropic’s…
MARSHALL COUNTY, IND. (WOWO) Marshall County commissioners have approved a permanent ban on data centers…
This website uses cookies.