Categories: Cyber Security News

Fortinet Confirms Critical FortiCloud SSO Vulnerability(CVE-2026-24858) Actively Exploited in the Wild

Fortinet has confirmed a critical authentication bypass vulnerability in its FortiCloud SSO feature, actively exploited in the wild under CVE-2026-24858.

According to an advisory published on January 27, 2026, the flaw affects FortiOS, FortiManager, FortiAnalyzer, and FortiProxy. With a CVSSv3 score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it stems from improper access control (CWE-288) in the GUI component.

Attackers possessing a FortiCloud account and a registered device can log into other devices registered to different accounts if FortiCloud SSO is enabled.

Notably, this feature is not active by default but is enabled during FortiCare registration from the GUI unless administrators explicitly disable the “Allow administrative login using FortiCloud SSO” toggle.

Table of Contents

Toggle

Exploitation Details and Threat Actor Activity

Fortinet detected exploitation by two malicious FortiCloud accounts, locked out on January 22, 2026. To safeguard customers, the vendor disabled FortiCloud SSO on the cloud side on January 26, re-enabling it the next day, and now blocking logins from vulnerable versions.

Post-authentication, attackers downloaded customer config files for reconnaissance and created persistent local admin accounts.

Main operations include config exfiltration and admin privilege escalation. Fortinet urges reviewing all admin accounts for anomalies. Products under investigation include FortiWeb and FortiSwitch Manager.

Urgent upgrades are essential. Fortinet provides an upgrade path tool. Below is a table of affected versions:

Product	Affected Versions	Solution
FortiAnalyzer 7.6	7.6.0 through 7.6.5	Upgrade to 7.6.6 or above
FortiAnalyzer 7.4	7.4.0 through 7.4.9	Upgrade to 7.4.10 or above
FortiAnalyzer 7.2	7.2.0 through 7.2.11	Upgrade to 7.2.12 or above
FortiAnalyzer 7.0	7.0.0 through 7.0.15	Upgrade to 7.0.16 or above
FortiAnalyzer 6.4	Not affected	N/A
FortiManager 7.6	7.6.0 through 7.6.5	Upgrade to 7.6.6 or above
FortiManager 7.4	7.4.0 through 7.4.9	Upgrade to 7.4.10 or above
FortiManager 7.2	7.2.0 through 7.2.11	Upgrade to 7.2.13 or above
FortiManager 7.0	7.0.0 through 7.0.15	Upgrade to 7.0.16 or above
FortiManager 6.4	Not affected	N/A
FortiOS 7.6	7.6.0 through 7.6.5	Upgrade to 7.6.6 or above
FortiOS 7.4	7.4.0 through 7.4.10	Upgrade to 7.4.11 or above
FortiOS 7.2	7.2.0 through 7.2.12	Upgrade to 7.2.13 or above
FortiOS 7.0	7.0.0 through 7.0.18	Upgrade to 7.0.19 or above
FortiOS 6.4	Not affected	N/A
FortiProxy 7.6	7.6.0 through 7.6.4	Upgrade to 7.6.6 or above
FortiProxy 7.4	7.4.0 through 7.4.12	Upgrade to 7.4.13 or above
FortiProxy 7.2	All versions	Migrate to fixed release
FortiProxy 7.0	All versions	Migrate to fixed release

Indicators of Compromise

Fortinet shared IoCs for threat hunting. Review logs for these signs of compromise:

Type	IoC Value
SSO Login Accounts	cloud-noc@mail[.]io cloud-init@mail[.]io
IP Addresses	104.28.244[.]115 104.28.212[.]114 104.28.212[.]115 104.28.195[.]105 104.28.195[.]106 104.28.227[.]106 104.28.227[.]105 104.28.244[.]114 37.1.209[.]19 217.119.139[.]50
Malicious Local Accounts	audit backup itadmin secadmin support backupadmin deploy remoteadmin security svcadmin system

Mitigations

FortiCloud SSO now rejects vulnerable devices, but disable it locally if needed:

FortiOS/FortiProxy CLI: textconfig system global set admin-forticloud-sso-login disable end
FortiManager/FortiAnalyzer CLI: textconfig system saml set forticloud-sso disable end

GUI paths: System > Settings (toggle off) or System Settings > SAML SSO.

Fortinet temporarily disabled its FortiCloud Single Sign-On (SSO) service after confirming active exploitation of a zero-day authentication bypass vulnerability in multiple products.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Fortinet Confirms Critical FortiCloud SSO Vulnerability(CVE-2026-24858) Actively Exploited in the Wild appeared first on Cyber Security News.

Massive FortiCloud SSO Exposure Leaves 25,000+ Devices Vulnerable

The Shadowserver Foundation has identified over 25,000 internet-facing systems globally with Fortinet devices configured to use FortiCloud Single Sign-On (SSO), potentially exposing them to critical security vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719. The nonprofit security organization recently added fingerprinting capabilities for Fortinet devices with FortiCloud SSO to its Device Identification…

December 20, 2025

In "Cyber Security News"

Fortinet SSO Vulnerability Actively Exploited to Hack Firewalls and Gain Admin Access

A critical vulnerability in Fortinet’s Single Sign-On (SSO) feature for FortiGate firewalls, tracked as CVE-2025-59718, is under active exploitation. Attackers are leveraging it to create unauthorized local admin accounts, granting full administrative access to internet-exposed devices. Multiple users have reported identical attack patterns, prompting Fortinet’s PSIRT forensics team to investigate.…

January 22, 2026

In "Cyber Security News"

Fortinet Confirms Active Exploitation of FortiCloud SSO Authentication Bypass Flaw

Fortinet has confirmed active exploitation of critical FortiCloud single sign-on (SSO) authentication bypass vulnerabilities affecting its enterprise security products. The company disclosed that threat actors are exploiting these vulnerabilities to gain unauthorized administrative access to compromised devices, creating significant risk for organizations relying on Fortinet infrastructure. Vulnerability Overview In December…

January 23, 2026

In "Cyber Security News"

rssfeeds-admin