Fortinet temporarily disabled its FortiCloud Single Sign-On (SSO) service after confirming active exploitation of a zero-day authentication bypass vulnerability in multiple products.
The issue, tracked as FG-IR-26-060, allows attackers with a malicious FortiCloud account to log into devices registered to other accounts.
The flaw stems from an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288). It impacts FortiOS, FortiManager, and FortiAnalyzer when FortiCloud SSO is enabled, a feature not active by default but often toggled on during FortiCare registration unless explicitly disabled.
Attackers exploit this to gain administrative access on targeted devices, even those fully patched against prior related issues. Fortinet notes the vulnerability also affects all SAML SSO implementations, though exploitation has been limited to FortiCloud SSO so far.
Products FortiWeb and FortiSwitch Manager remain under investigation, with no confirmed patches yet.
Affected Versions and Fixes
Multiple version branches across affected products require upgrades to mitigate the issue. Fortinet has outlined specific fixed releases, many upcoming as of January 27, 2026.
| Product | Affected Versions | Solution |
|---|---|---|
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiAnalyzer 6.4 | Not affected | N/A |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.13 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiManager 6.4 | Not affected | N/A |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to 7.0.19 or above |
| FortiOS 6.4 | Not affected | N/A |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.6 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to 7.4.13 or above |
| FortiProxy 7.2 | All versions | Migrate to fixed release |
| FortiProxy 7.0 | All versions | Migrate to fixed release |
Customers should use Fortinet’s upgrade tool for the recommended paths.
Indicators of Compromise
Attackers used specific FortiCloud accounts, IP addresses, and post-exploitation tactics. Fortinet urges reviewing logs and admin accounts for these signs.
| Category | IoCs |
|---|---|
| SSO User Accounts | cloud-noc@mail[.]io, cloud-init@mail[.]io |
| IP Addresses (Primary) | 104.28.244[.]115, 104.28.212[.]114, 104.28.212[.]115, 104.28.195[.]105, 104.28.195[.]106, 104.28.227[.]106, 104.28.227[.]105, 104.28.244[.]114 |
| IP Addresses (Other) | 37.1.209[.]19, 217.119.139[.]50 |
| Malicious Local Admins | audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system |
Key log patterns include successful SSO logins (logid=”0100032001″) from suspicious IPs and admin creations (logid=”0100044547″). Post-breach, actors downloaded configs and added backdoor admins for persistence.
Timeline and Response
Fortinet locked malicious accounts on January 22, 2026, after detecting wild exploitation. The company disabled the FortiCloud SSO server-side on January 26, restoring it on January 27 with blocks on vulnerable devices. PSIRT advisory FG-IR-26-060 published same day.
This follows December 2025 advisories (FG-IR-25-647) on related SSO bypasses (CVE-2025-59718, CVE-2025-59719), fixed in some branches but bypassed here via a new path.
Immediate actions include restricting admin access via local-in policies to trusted IPs and disabling FortiCloud SSO if needed. CLI for FortiOS/FortiProxy: config system global; set admin-forticloud-sso-login disable; end. For FortiManager/FortiAnalyzer: config system saml; set forticloud-sso disable; end.
Post-compromise: Upgrade firmware, restore clean configs, rotate credentials, and audit VPN/LDAP ties. Monitor Fortinet PSIRT for patches. No CVSS score yet, as a zero-day without a CVE assignment.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
