9.4 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
3 packages
- terraform-providers.fortios
- python312Packages.fortiosapi
- python313Packages.fortiosapi
- @LeSuisse dismissed
An Authentication Bypass Using an Alternate Path or Channel vulnerability …
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
References
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026… government-resource
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios vendor-advisory
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026… government-resource
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios vendor-advisory
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026… government-resource
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios vendor-advisory
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026… government-resource
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios vendor-advisory
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026… government-resource
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios vendor-advisory
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026… government-resource
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios vendor-advisory
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026… government-resource
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios vendor-advisory
Affected products
- =<7.4.10
- =<7.2.12
- =<7.6.5
- =<7.0.18
- =<8.0.3
- =<7.4.11
- =<7.6.6
- =<7.6.4
- =<7.0.22
- =<7.4.12
- =<7.2.15
- =<7.0.15
- =<7.2.11
- =<7.6.5
- =<7.4.9
- =<7.0.15
- =<7.2.11
- =<7.6.5
- =<7.4.9