Hackers Can Break Into Corporate Security Systems Even When Two-Factor Authentication Is Enabled

A critical security flaw allows hackers to break into corporate cybersecurity systems even when companies have enabled two-factor authentication, the gold standard of digital protection.

What's happening

Fortinet's FortiSOAR platform, used by thousands of companies to manage their cybersecurity operations, contains a vulnerability that lets attackers bypass authentication entirely. This affects organizations ranging from small businesses to Fortune 500 companies that rely on FortiSOAR to coordinate their security responses to cyber threats. When hackers exploit this flaw, they gain the same access as legitimate security administrators—meaning they can see all security alerts, modify incident responses, and potentially cover their tracks while attacking other systems.

How the attack works

The attack works like a sophisticated form of digital eavesdropping and mimicry. Imagine you're using a secure building that requires both a keycard and a temporary security code sent to your phone. An attacker intercepts both your keycard information and that temporary code as you enter, then rushes to use both credentials before the temporary code expires. In FortiSOAR's case, when a legitimate user logs in with their username, password, and 2FA token, an attacker who can monitor and decrypt the network traffic can capture this authentication request. They then have a narrow window—before the 2FA token expires—to replay that exact same request to the system. The system, seeing what appears to be a valid authentication attempt, grants full access.

The attack requires significant technical skill and network access, but once successful, gives attackers complete control over an organization's security operations center. They can see ongoing investigations, modify security rules, or use their access as a stepping stone to compromise other critical systems.

The technical reality

The vulnerability, tracked as CVE-2026-23708 with a CVSS score of 7.5 (High), stems from improper authentication validation in FortiSOAR's session management. The system fails to implement adequate replay protection mechanisms for 2FA tokens, allowing captured authentication requests to be reused within the token validity window. Security researchers classify this as an authentication bypass vulnerability that can lead to complete system compromise.

Who is at risk

Organizations running specific versions of FortiSOAR are vulnerable: PaaS versions 7.6.0 through 7.6.3 and 7.5.0 through 7.5.2, as well as on-premise installations of the same version ranges. This includes companies using FortiSOAR to manage security incident response, threat hunting operations, and automated security workflows. While no active exploitation has been confirmed in the wild yet, security experts warn that the technical details are now public, making attacks more likely. Organizations in finance, healthcare, government, and critical infrastructure sectors—which commonly use enterprise security orchestration platforms—face the highest risk due to the sensitive nature of their operations.

What you should do right now

1. Immediately upgrade to FortiSOAR version 7.6.4 or 7.5.3, depending on your current branch. Fortinet has patched this vulnerability in these releases. Check your current version in the FortiSOAR admin console under System Settings.

2. Review authentication logs from the past 30 days for suspicious login patterns, particularly successful logins from unusual IP addresses or multiple rapid authentication attempts from the same user account. Look for authentication events that occurred outside normal business hours or from unexpected geographic locations.

3. Implement network segmentation to limit who can intercept FortiSOAR authentication traffic. Ensure the platform is only accessible through VPN connections or from trusted network segments, and consider requiring additional network-level authentication for administrative access. If possible, enable session recording to monitor administrative actions for signs of unauthorized access.