Critical SSO Flaw in the Fortinet Ecosystem: Unauthorized Administrator-Level Access via FortiCloud Identified

On December 9, 2025, Fortinet issued an emergency warning regarding a serious security vulnerability discovered in several of its products, including FortiOS, FortiWeb, FortiProxy, FortiSwitchManager, and others. According to official information, the flaw allows attackers to bypass FortiCloud Single Sign-On (SSO) authentication.

The root cause lies in improper verification of digital signatures within SAML messages. As a result, the authentication process can be manipulated using a specially crafted SAML message, allowing an attacker to gain administrator-level access.

The flaw is categorized as “Improper Verification of Cryptographic Signature” (CWE-347) — meaning the system does not fully and correctly validate the cryptographic signature contained in the SAML message. Because of this, when a crafted SAML message is sent, the device may fail to verify the sender’s authenticity and automatically approve the login request via FortiCloud.

The issue was identified internally by Fortinet’s own team during routine security assessments and was officially disclosed by the company through FortiGuard.

Who is at Risk and When?

According to Fortinet’s advisory, the vulnerability affects the following products and versions. Administrators must promptly check their devices and apply the required updates:

FortiOS:

  • 7.6.0–7.6.3 → update to 7.6.4 or later
  • 7.4.0–7.4.8 → 7.4.9+
  • 7.2.0–7.2.11 → 7.2.12+
  • 7.0.0–7.0.17 → 7.0.18+

FortiProxy:

  • 7.6.0–7.6.3 → 7.6.4+
  • 7.4.0–7.4.10 → 7.4.11+
  • 7.2.0–7.2.14 → 7.2.15+
  • 7.0.0–7.0.21 → 7.0.22+

FortiSwitchManager:

  • 7.2.0–7.2.6 → 7.2.7+
  • 7.0.0–7.0.5 → 7.0.6+

FortiWeb:

  • 8.0.0 → 8.0.1+
  • 7.6.0–7.6.4 → 7.6.5+
  • 7.4.0–7.4.9 → 7.4.10+

Important note: FortiCloud SSO may not be enabled by default. However, when a device is registered to FortiCare via the graphical user interface (GUI), the “Allow administrative login using FortiCloud SSO” option may remain enabled unless the administrator manually disables it. Therefore, configuration settings must be carefully reviewed during installation and registration.

How Does the Risk Manifest in Practice?

If exploited, the flaw allows unauthorized administrative access — not remotely authenticated, but entirely without credentials.

In other words, an attacker can send a crafted SAML message to any misconfigured device with FortiCloud SSO enabled, gain administrator privileges, alter system configurations, and potentially compromise network security.

This scenario poses a particularly high risk for internet-exposed devices or those tightly integrated with FortiCloud.

Immediate Actions to Take (Practical Recommendations)

1. Apply updates as soon as possible.
Install the security patches released by Fortinet — upgrade to the versions listed on the official PSIRT page. Patching is the most reliable mitigation.

2. If immediate patching is not possible — disable FortiCloud SSO.
Administrators may temporarily disable administrative login via FortiCloud SSO until updates can be applied. This significantly reduces exposure.

3. Check device configuration.
Ensure that the automatically enabled “Allow administrative login using FortiCloud SSO” option is disabled if not required. Pay special attention to this when registering new devices via FortiCare.

4. Strengthen monitoring across the network.
Use SIEM and EDR solutions to detect unusual administrator authentication attempts, suspicious SAML-related activity, or unexpected configuration changes. Trigger incident response procedures immediately if anomalies are detected.

5. Conduct audits and asset inventory.
Identify all Fortinet devices across the network, check their firmware versions, and prioritize updates for those running vulnerable builds.

Additional Recommendations and Security Considerations

  • Regularly monitor Fortinet PSIRT updates and trusted cybersecurity sources — vulnerabilities and mitigation steps may evolve rapidly.
  • If your environment contains internet-facing management interfaces, restrict access to trusted IP addresses only.
  • If necessary, temporarily disconnect devices from the internet during the update process — especially if mass exploitation begins.

Fortinet’s disclosure highlights a serious vulnerability that allows attackers to bypass authentication through improper SAML signature verification and gain unauthorized access via FortiCloud SSO. The company has issued official patches and strongly advises administrators to update immediately or temporarily disable the SSO feature.

For any organization, this should be treated as a top-priority security risk: audit devices, apply patches, and eliminate exposure without delay.