A critical vulnerability has been identified in multiple Fortinet products, including FortiOS, FortiProxy, and FortiSwitchManager. This flaw allows an unauthenticated remote attacker to bypass the FortiCloud Single Sign-On (SSO) authentication process, potentially granting them full administrative access to affected devices. Successful exploitation could lead to a complete network compromise, data theft, and significant operational disruption.

The vulnerability is an improper verification of a cryptographic signature within the Security Assertion Markup Language (SAML) authentication mechanism used for FortiCloud SSO. An unauthenticated attacker can send a specially crafted SAML response to a vulnerable device. Because the device fails to properly validate the cryptographic signature of this response, it incorrectly trusts the malicious assertion and grants the attacker authenticated access, effectively bypassing the login process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to gain unauthorized administrative access to core network security infrastructure. This could lead to severe consequences, including the ability to alter firewall rules, disable security features, intercept network traffic, access sensitive internal resources, and deploy malware or ransomware across the organization. The potential for complete network compromise poses a direct and immediate threat to business operations, data confidentiality, and organizational reputation.

Immediate Action: Immediately apply the security updates provided by Fortinet to all affected products. Refer to the official Fortinet security advisory for specific patched versions and installation instructions. After patching, it is crucial to review access logs for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring:

• Monitor and audit all authentication logs on Fortinet devices, specifically looking for unusual or malformed SAML authentication events.
• Scrutinize logs for successful administrative logins from unknown or unexpected IP addresses, particularly if they occur outside of normal business hours.
• Implement alerts for any unauthorized configuration changes, creation of new administrative accounts, or modifications to firewall policies.

Compensating Controls: If patching cannot be performed immediately, consider the following mitigating actions:

• Temporarily disable the FortiCloud SSO login feature on the administrative interface.
• Restrict access to the device's management interface to a secure, isolated management network or a limited set of trusted IP addresses.
• Ensure Multi-Factor Authentication (MFA) is enforced for all administrative access, though it may not be effective against this specific bypass.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the risk of complete network compromise, this vulnerability requires immediate attention. We strongly recommend that organizations treat this as an emergency and apply the necessary patches to all affected Fortinet devices without delay. Although this CVE is not currently listed on the CISA KEV catalog, vulnerabilities of this nature are prime candidates for future inclusion and are frequently exploited by both cybercriminals and nation-state actors. Prioritize patching these external-facing systems to prevent unauthorized access to your network.