FortiCloud SSO Authentication Bypass in Fortinet FortiOS/FortiManager/FortiAnalyzer/FortiProxy/FortiWeb

Repository contains a small Python helper tool for CVE-2026-24858 described as an “Administrative FortiCloud SSO authentication bypass.” Structure: - cve_2026_24858_tool.py: single CLI utility with two subcommands: - scan: performs an HTTP(S) GET to the target root path “/” (default https/443), then heuristically flags Fortinet devices by checking for “Forti/FortiGate/FortiOS” in the Server header or HTML body and for headers starting with “X-Forti”. Can print headers/body snippet, dump full body, and save response to disk. - exploit: disabled by default; requires --enable-exploit. Reads a local payload file as raw bytes and POSTs it to an operator-specified endpoint on the target using Content-Type: application/octet-stream. Returns HTTP status, headers, and body snippet; can dump/save full response. - README.md: usage examples and warnings; explicitly states the tool does not craft payloads and only sends exact bytes provided. - requirements.txt: requests>=2.25.0. Overall purpose: a conservative scanner plus a generic payload delivery helper for testing a suspected vulnerable Fortinet web management endpoint. It does not implement the auth bypass logic itself; exploitation depends on the user knowing the correct vulnerable path and providing a crafted payload externally.

Repository purpose: a Python proof-of-concept exploit named “SCTT-0004 VORTEX / SCTT-2026-33-0004” claiming a Fortinet/FortiCloud SSO “temporal session collision” that can bypass mitigations for CVE-2026-24858 by repeatedly interacting with the SSO login flow using precisely timed delays across 33 “layers.” Structure: - README.md: High-level claim and usage instructions (run script with <target> and <token>; oscillate for 33 layers). - SCTT-0004-VORTEX.py: Main exploit/PoC implementation. Creates a requests.Session with TLS verification disabled, computes per-layer timing (“temporal resonance”), crafts SAML-assertion-like data structures per layer (NameID, Conditions, AuthnStatement, Fortinet identity attributes), and drives a multi-request sequence intended to cause an identity/session privilege collision. Includes an interactive authorization prompt and prints results. - SCTT-2026-33-0004.json: Metadata describing the claimed vulnerability, mapping to CWE-288/CWE-347, affected versions, and references to CVE-2026-24858 and CVE-2025-59718. - LICENSE: MIT. Exploit capabilities (as implemented/claimed): - Remote, network-based interaction with a FortiCloud/Fortinet SSO endpoint. - Timing-based request orchestration over 33 iterations to attempt authentication bypass / privilege escalation via session-table “collision.” - Post-condition check by requesting an admin resource path to infer elevated access. Notable observables: - Hardcoded relative paths: /remote/saml/login and /admin/dashboard. - SAML/Fortinet attribute URNs embedded in the crafted assertion structure. - No hardcoded C2 infrastructure; target is user-supplied. The code is more consistent with a PoC than a fully weaponized module (no robust target fingerprinting, limited error handling shown in the provided excerpt, and no configurable payload beyond the request sequence).