Fortinet Warns of 2FA Bypass Vulnerability in FortiSOAR Web GUI
Fortinet disclosed an improper authentication vulnerability in FortiSOAR's web GUI that allows unauthenticated attackers to bypass two-factor authentication by replaying a captured request.
Fortinet has disclosed a security vulnerability in its FortiSOAR security orchestration, automation, and response (SOAR) platform that could allow attackers to bypass two-factor authentication protections. Tracked as FG-IR-26-101 and assigned a CVSS score of 6.7, the flaw resides in the web GUI of both the PaaS and on-premises versions of FortiSOAR.
The vulnerability, classified as an improper authentication issue (CWE-287), stems from the way FortiSOAR handles 2FA requests. An unauthenticated attacker who can intercept and decrypt authentication traffic can capture a valid 2FA request and replay it before the token expires, effectively bypassing the second factor without possessing a valid token. The attack requires precise timing and the ability to decrypt network traffic, but once successful, the attacker gains authenticated access to the FortiSOAR web interface.
FortiSOAR is widely used by security operations centers (SOCs) to automate incident response workflows, making it a high-value target for attackers seeking to pivot into enterprise networks. A successful bypass of 2FA could allow an attacker to access sensitive playbooks, modify automation rules, or exfiltrate threat intelligence data stored within the platform.
The advisory lists affected versions as FortiSOAR PaaS 7.6.0 through 7.6.3 and FortiSOAR on-premises 7.6.0 through 7.6.3, as well as FortiSOAR PaaS 7.5.0 through 7.5.2 and on-premises 7.5.0 through 7.5.2. Versions 7.4 and 7.3 are not affected. Fortinet has released patches in FortiSOAR 7.6.4 and 7.5.3 to address the vulnerability.
The vulnerability was internally discovered and reported by Leslie Zhou of the Fortinet PSIRT team. No evidence of active exploitation in the wild has been reported at the time of disclosure. Fortinet has not provided specific mitigations beyond upgrading to the patched versions.
This disclosure follows a broader trend of authentication bypass vulnerabilities in enterprise security tools. As organizations increasingly rely on SOAR platforms to centralize security operations, flaws that undermine multi-factor authentication protections pose a significant risk. Fortinet urges all customers running affected versions to upgrade immediately to prevent potential compromise.