Multiple Vulnerabilities in FortiCloud SSO Authentication Exposed

Fortinet reported two vulnerabilities affecting FortiOS, FortiManager, FortiAnalyzer, and FortiProxy related to FortiCloud SSO authentication. The first vulnerability, an Authentication Bypass (CWE-288), allows attackers with FortiCloud accounts to log into devices registered to other accounts if SSO is enabled. This was exploited in the wild by malicious accounts before Fortinet disabled the feature on January 26, 2026. The second vulnerability, an Improper Verification of Cryptographic Signature (CWE-347), permits unauthenticated attackers to bypass SSO login via crafted SAML messages. Both vulnerabilities require SSO to be enabled, which is not the default setting. Fortinet recommends disabling SSO temporarily until devices are upgraded to non-affected versions. Customers are urged to review admin accounts for unauthorized entries due to these exploits.

Key Points: • Two critical vulnerabilities in FortiCloud SSO authentication were disclosed. • Attackers exploited these vulnerabilities to gain unauthorized access to devices. • Fortinet disabled the SSO feature temporarily to protect customers.