Fortinet has confirmed that critical authentication bypass vulnerabilities affecting FortiCloud Single Sign-On (SSO) remain exploitable, even in environments that have already applied recent patches. Attackers are actively abusing these flaws, and Fortinet expects to issue additional fixes within the next week. Read this Cybersecurity Threat Advisory for recommendations to protect your environment.
What is the threat?
Attackers are targeting authentication bypass vulnerabilities in Fortinet’s FortiCloud SSO login process. Under certain conditions, these flaws allow unauthorized access to FortiCloud environments without valid credentials, potentially giving threat actors administrative control over cloud-managed Fortinet assets such as firewalls, VPNs, and other security devices.
Although Fortinet released patches, the company has since confirmed the fixes are incomplete, and additional remediation is required.
Why is it noteworthy?
- Centralized impact: FortiCloud serves as a management and analytics platform for a wide range of Fortinet deployments. A compromise here provides access to a broad security footprint.
- Identity boundary failure: SSO authentication weaknesses enable attackers to bypass passwords—and in some cases even MFA—making this category of vulnerability particularly dangerous.
- Patches still insufficient: Even fully updated systems may remain vulnerable until Fortinet releases additional fixes, increasing exposure time.
- Active exploitation: Reports confirm attackers are already leveraging these vulnerabilities in real-world campaigns, raising urgency for monitoring and compensating controls.
What is the exposure or risk?
Organizations using FortiCloud SSO may face:
- Unauthorized FortiCloud access: Attackers could obtain administrative control without legitimate credentials.
- Manipulation of security infrastructure: With elevated access, adversaries can:
- Modify firewall, IPS, web filtering, or VPN configurations
- Push changes across multiple devices
- Disable or weaken security controls
- Theft of sensitive data: Attackers may exfiltrate configuration files, network topology details, VPN pre‑shared keys, API tokens, or logs used for further reconnaissance.
- Lateral movement and persistence: Centralized access enables deeper compromise across connected corporate environments.
Risk is highest for organizations that rely heavily on FortiCloud for centralized management and have broad internet-accessible administrative access.
What are the recommendations?
Barracuda recommends the following actions to mitigate this threat:
1. Monitor and follow Fortinet guidance
- Track Fortinet PSIRT updates and advisories related to FortiCloud SSO.
- Prepare to deploy updated patches immediately upon release.
- Apply any interim mitigations or configuration workarounds provided by Fortinet.
2. Harden FortiCloud access
- Enforce strong MFA for all FortiCloud accounts, especially administrators.
- Restrict admin access using IP allowlisting, VPN requirements, or conditional access.
- Minimize and audit admin accounts following least‑privilege principles.
3. Increase monitoring and detection
Review FortiCloud audit logs for:
- Unusual login locations or access times
- Newly created accounts or privilege escalations
- Unexpected device registrations or configuration changes
Enable alerts for anomalous login attempts and high‑risk admin actions. Correlate FortiCloud activity with your SIEM to detect suspicious firewall/VPN modifications.
4. Validate configuration integrity
- Conduct reviews of firewall, VPN, and segmentation rules to confirm they match approved baselines.
- Identify changes such as newly opened ports or altered logging settings.
- Re-deploy known-good configurations if integrity is uncertain.
5. Rotate sensitive credentials
If compromise is suspected—or logs are incomplete—rotate:
- FortiCloud admin passwords
- API keys and integration tokens
- VPN pre-shared keys and other secrets managed via Fortinet devices
6. Strengthen incident-response readiness
Ensure your IR plan includes procedures for cloud management platform compromise, rapid containment, and account lockdown. Conduct targeted threat hunting for suspicious admin activity or unusual firewall/VPN changes.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/fortinet-confirms-critical-forticloud-auth-bypass-not-fully-patched/
- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.
