An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
The flaw lies in improper user identity verification during the authentication process through an alternative path or channel (FortiCloud SSO). An attacker, having their own legitimate FortiCloud account and at least one registered device, can bypass standard access controls and authenticate to devices belonging to other organizations or accounts, provided those devices have FortiCloud SSO enabled. The SSO mechanism improperly isolates sessions and identities between different tenants, creating a pathway for unauthorized access.
An attacker can gain full unauthorized access to Fortinet devices of other organizations — potentially taking control of network configuration, firewalls, management and analysis systems. The consequences include breach of confidentiality, integrity, and availability of protected systems (CVSS C:H/I:H/A:H).
Immediately apply patches available from the vendor according to references (https://fortiguard.fortinet.com/psirt/FG-IR-26-060). Until updates are installed, it is recommended to disable FortiCloud SSO functionality on all affected devices. Due to active exploitation (CISA KEV), remediation actions should be taken immediately.
FortiAnalyzer 7.0.0–7.0.15, 7.2.0–7.2.11, 7.4.0–7.4.9, 7.6.0–7.6.5; FortiManager 7.0.0–7.0.15, 7.2.0–7.2.11, 7.4.0–7.4.9, 7.6.0–7.6.5; FortiNAC-F 7.6.3–7.6.5; FortiOS 7.0.0–7.0.18, 7.2.0–7.2.12, 7.4.0–7.4.10, 7.6.0–7.6.5; FortiProxy 7.0.0–7.0.22, 7.2.0–7.2.15, 7.4.0–7.4.12, 7.6.0–7.6.4; FortiWeb 7.4.0–7.4.11, 7.6.0–7.6.6, 8.0.0–8.0.3. A necessary condition is that FortiCloud SSO functionality is enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet Fortianalyzer
APPFortinet7.6.0 – 7.6.6 (bez)7.0.0 – 7.0.157.2.0 – 7.2.117.4.0 – 7.4.10 (bez)Fortinet Fortimanager
APPFortinet7.4.0 – 7.4.10 (bez)7.0.0 – 7.0.157.2.0 – 7.2.117.6.0 – 7.6.6 (bez)Fortinet Fortinac F
APPFortinet7.6.3 – 7.6.6 (bez)Fortinet FortiOS
OSFortinet7.6.0 – 7.6.6 (bez)7.0.0 – 7.0.187.2.0 – 7.2.127.4.0 – 7.4.11 (bez)Fortinet Fortiproxy
APPFortinet7.4.0 – 7.4.127.0.0 – 7.0.227.2.0 – 7.2.157.6.0 – 7.6.4Fortinet Fortiweb
APPFortinet8.0.0 – 8.0.37.6.0 – 7.6.67.4.0 – 7.4.11Siemens Ruggedcom Ape1808
HWSiemenswszystkie wersjeSiemens Ruggedcom Ape1808 Firmware
OSSiemenswszystkie wersje
CISA KEV — detailsi
- Vendori
- Fortinet ↗
- Producti
- Multiple Products
- Added to KEVi
- January 27, 2026
- Remediation deadline (US Federal)i
- January 30, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Related vulnerabilities
Buffer overflow RCE z uprawnieniami root w PAN-OS Captive Portal
Fortinet FortiOS/FortiProxy/FortiSwitchManager — Auth Bypass przez SAML
Path Traversal w Fortinet FortiWeb umożliwiający zdalne wykonanie poleceń
Krytyczna podatność SQL Injection w Fortinet FortiWeb — obejście uwierzytelnienia
Authentication Bypass w FortiOS i FortiProxy — przejęcie uprawnień super-admin