Over the past few weeks and mentioned in our earlier advisory-
- security teams have been dealing with a serious authentication bypass flaw affecting Fortinet’s FortiGate firewalls and related products. The issue stems from how FortiCloud and SAML-based Single SignOn (SSO) are handled, allowing attackers to slip past authentication entirely and gain administrative access without valid credentials.
What’s making this situation even more concerning is that multiple researchers and administrators have reported successful compromises on systems that were supposedly patched. In other words, some FortiOS reports suggest that recent updates have not fully mitigated exploitation..
As of now, it is not completely clear which versions are affected, and which are not. However, there are posts mentioning seeing active exploitation in FortiOS version 7.4.9. As this version was considered to be patched of the vulnerability, it is likely that other versions are vulnerable as well.
We recommend staying up to date with Fortinet PSIRT and announcements from Fortinet as this concern is likely to be addressed by them soon.
If you don’t absolutely need it, disable it. This is the primary attack vector.
config system global
set admin-forticloud-sso-login disable
end
Restrict admin login to trusted internal IPs or a dedicated management network. Avoid exposing the admin interface to the internet.
Check for things like:
If you spot anything suspicious, treat the device as compromised.
Fortinet is expected to release additional patches. Keep an eye on advisories and be ready to deploy updates quickly.
Given the number of confirmed incidents, it’s safer to assume your device may have been affected and investigate accordingly.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.