If you manage FortiGate, FortiManager, or FortiAnalyzer, a critical authentication bypass in FortiCloud SSO is being actively exploited. Devices patched against the December vulnerabilities are still at risk.
At Veritium, we are working with our clients to secure their perimeters immediately. If you need assistance with emergency patching or compromise assessments, please reach out to our team.
✅ THE FIX: UPGRADE IMMEDIATELY
You must move to these specific versions to secure your perimeter and restore SSO functionality:
- FortiOS: 7.6.6+, 7.4.11+, 7.2.13+, or 7.0.19+
- FortiManager/Analyzer: 7.6.6+, 7.4.10+, or 7.2.12+
🔍 AUDIT YOUR ADMINS & LOGS
Check for these specific Indicators of Compromise (IoCs) observed in the current wave:
Rogue SSO Accounts:
cloud-noc@mail.iocloud-init@mail.io
Rogue Local Admins:
audit,backup,itadmin,secadmin,supportbackupadmin,remoteadmin,svcadmin,system
Suspicious Source IPs:
104.28.244.115,104.28.212.11437.1.209.19,217.119.139.50
🛠️ IMMEDIATE MITIGATION
If you cannot patch right now, disable FortiCloud SSO login via the CLI:
config system global
set admin-forticloud-sso-login disable
end