Fortinet has disclosed a critical vulnerability (CWE‑347: Improper Verification of Cryptographic Signature) affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
What’s the Issue
- Root cause: Devices fail to properly verify signatures in SAML messages.
- Impact: An unauthenticated attacker can craft malicious SAML messages to bypass FortiCloud SSO login and gain administrative access.
- Discovery: Found internally by Fortinet’s Product Security team (Yonghui Han and Theo Leleu).
- Risk profile:
- FortiCloud SSO login is not enabled by default.
- However, when registering a device to FortiCare via GUI, the “Allow administrative login using FortiCloud SSO” toggle is enabled by default unless manually disabled.
Mitigation & Workarounds
- Immediate action:
- Upgrade to patched versions listed below.
- If patching is not possible, disable FortiCloud SSO login:
- GUI: System → Settings → toggle off “Allow administrative login using FortiCloud SSO”.
- CLI:Code
config system global set admin-forticloud-sso-login disable end
Affected Versions & Fixes
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| FortiOS 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiOS 7.4 | 7.4.0 – 7.4.8 | 7.4.9+ |
| FortiOS 7.2 | 7.2.0 – 7.2.11 | 7.2.12+ |
| FortiOS 7.0 | 7.0.0 – 7.0.17 | 7.0.18+ |
| FortiOS 6.4 | Not affected | — |
| FortiProxy 7.6 | 7.6.0 – 7.6.3 | 7.6.4+ |
| FortiProxy 7.4 | 7.4.0 – 7.4.10 | 7.4.11+ |
| FortiProxy 7.2 | 7.2.0 – 7.2.14 | 7.2.15+ |
| FortiProxy 7.0 | 7.0.0 – 7.0.21 | 7.0.22+ |
| FortiSwitchMgr 7.2 | 7.2.0 – 7.2.6 | 7.2.7+ |
| FortiSwitchMgr 7.0 | 7.0.0 – 7.0.5 | 7.0.6+ |
| FortiWeb 8.0 | 8.0.0 | 8.0.1+ |
| FortiWeb 7.6 | 7.6.0 – 7.6.4 | 7.6.5+ |
| FortiWeb 7.4 | 7.4.0 – 7.4.9 | 7.4.10+ |
Why It Matters
- Fortinet appliances are widely deployed in enterprise and government networks.
- Authentication bypass flaws in SSO systems can lead to full administrative compromise.
- Attackers could leverage this to disable defenses, pivot into internal networks, or deploy ransomware.
Recommended Next Steps
- Patch immediately to the fixed versions.
- Disable FortiCloud SSO login if patching is delayed.
- Audit logs for suspicious SAML messages or unauthorized admin logins.
- Restrict admin access and enforce MFA wherever possible.
Leave a Reply