Security Bulletin: Active Exploitation of Single Sign-On (SSO) Authentication Abuse in Fortinet FortiOS

Written by RedLegg's Cyber Threat Intelligence Team | 1/27/26 4:27 PM

About:

Fortinet has confirmed active exploitation of Single Sign-On (SSO) authentication abuse in FortiOS, where threat actors are leveraging weaknesses in SSO-related mechanisms to obtain unauthorized administrative access. By abusing FortiCloud SSO and SAML-based authentication paths, attackers can bypass normal login protections and gain privileged access to FortiOS devices, potentially enabling full control of firewall configurations, credential harvesting, and follow-on network compromise.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Active Exploitation of Single Sign-On (SSO) Authentication Abuse in Fortinet FortiOS

Exploit or Proof of Concept (PoC):

Fortinet has confirmed active exploitation in the wild. Threat actors are abusing FortiOS Single Sign-On mechanisms to obtain unauthorized administrative access.

Update/ Patch:

Fortinet PSIRT Analysis and Mitigation Guidance:

https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios

Related baseline advisory for original SSO bypass:

https://www.fortiguard.com/psirt/FG-IR-25-647

Description:

Fortinet has published analysis confirming that attackers are actively abusing Single Sign-On functionality in FortiOS to gain administrative access.

Mitigation Recommendation:

Immediately disable FortiCloud SSO and SAML-based admin login if not operationally required.

Restrict management interfaces to internal networks or VPN-only access.

View full post