Technical Tip: Understanding the FortiOS critical vulnerability (FG-IR-25-647, FG-IR-26-060) upgrade prompt in GUI
Description
This article describes the expected upgrade prompt that appears after logging in to earlier firmware versions subject to the FortiCloud SSO Login authentication bypass critical vulnerability, e.g., FG-IR-25-647, FG-IR-26-060.
Scope
FortiGate v7.4.10 and earlier, FortiOS v7.6.5 and earlier.
Solution
After booting, FortiOS will check its build number against the PSIRT definitions for known critical vulnerabilities. In FortiOS v7.4 and later, this feature requires only firmware entitlement. See this article: Technical Tip: FortiOS GUI critical vulnerability warning message and licensing entitlement for versions 7.2, 7.4 and 7.6.
If a known critical vulnerability is detected, FortiOS displays an upgrade prompt after FortiGate login, accompanied by a GUI warning that allows the administrator to upgrade or skip, as shown in the image below. This notifies the administrator of potential security risks and enables immediate mitigation.
For further information on the vulnerability announcement FG-IR-25-647, refer to the PSIRT advisory: Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass. For FG-IR-26-060, refer to Administrative FortiCloud SSO authentication bypass.
To mitigate exposure to both vulnerabilities in affected versions, the FortiCloud SSO login feature should be temporarily disabled until the device is upgraded to a non-affected version, as mentioned in the latest PSIRT advisory FG-IR-26-060.
Note: The firewall will not automatically reboot after one week. The message is only a warning recommending that the device be upgraded within one week. There is no automatic restart triggered by this notification.
To disable the feature, log in to FortiGate, navigate to Settings, and disable the 'FortiCloud SSO' option (it may also appear as 'Allow administrative login using FortiCloud SSO', depending on firmware).
Configure via CLI:
config system global
set admin-forticloud-sso-login disable
end
Note: The CLI command will not affect production traffic or other functionalities of the FortiGate device. It will prevent administrators from logging into the device using FortiCloud Single Sign-On.
This vulnerability affects only devices with FortiCloud SSO login enabled. Disabling the 'FortiCloud SSO' option mitigates risk until the device is upgraded to a fixed FortiOS version.
Notes:
- The vulnerable version check takes some time to perform and generally does not display immediately after boot.
- To protect users and block further exploitation, Fortinet disabled FortiCloud SSO access from vulnerable (unpatched) devices on the FortiCloud side starting January 26, 2026. Users may encounter a web page blocked due to attack id: 20000021
See: Troubleshooting Tip: FortiCloud SSO login blocked with 'Web Page Blocked! Attack ID: 20000021' message. - The warning appears based on the firmware version. It will still display even if FortiCloud SSO login is successfully disabled.
- Although this does not mitigate the vulnerability, the upgrade warning can be temporarily cleared using the command 'diagnose report-runner vuln-clean'. See this document: One-time upgrade prompt when a critical vulnerability is detected upon login.
Once the Security Rating Report towards FortiGuard Servers is performed (every 4 hours automatically), the banner will reappear as shown below:
To disable the security rating that runs every 4 hours. Refer to this article: Technical Tip: How to disable scheduled FortiGuard Security Rating Checks.