Fortinet Confirms Actively Exploited Critical FortiCloud SSO Zero-Day (CVE-2026-24858)

Listen to this Post

Featured Image

A New Authentication Bypass Shakes Fortinet’s Security Ecosystem

Fortinet has confirmed the active exploitation of a previously unknown, critical authentication bypass vulnerability affecting its FortiCloud single sign-on (SSO) infrastructure. Tracked as CVE-2026-24858, the flaw allows attackers to gain unauthorized administrative access to Fortinet devices across different customer environments. The discovery has raised immediate concerns across enterprises relying on FortiOS, FortiManager, and FortiAnalyzer, especially because the attacks were observed even on systems fully patched against earlier FortiCloud SSO flaws.

Why This Vulnerability Matters

The issue goes beyond a simple misconfiguration or delayed patching problem. Attackers were able to abuse FortiCloud SSO itself, bypassing authentication checks through an alternate path that remained accessible even after December 2025 security updates. This placed fully up-to-date environments at risk, challenging assumptions about patch sufficiency and cloud-based trust models.

Summary of the Original

Initial Reports of Compromise

On January 21, Fortinet customers began reporting suspicious activity on FortiGate firewalls. Attackers were observed creating new local administrator accounts through FortiCloud SSO, despite the affected devices running the latest available firmware.

Early Attribution to a Previous Flaw

At first, the intrusions were believed to be linked to CVE-2025-59718, a critical FortiCloud SSO authentication bypass vulnerability that had been disclosed and patched in December 2025. However, indicators soon suggested a different, previously unknown exploitation path.

Repeated Indicators Across Incidents

Affected administrators noticed attackers logging in via FortiCloud SSO using suspicious email accounts, most notably [email protected]
, before creating new local admin users. Logs showed striking similarities to exploitation patterns seen during the December campaign.

Confirmation by Security Researchers

On January 22, cybersecurity firm Arctic Wolf confirmed the attacks and described them as automated and highly efficient. Within seconds of access, attackers created rogue administrator and VPN-enabled accounts and exfiltrated firewall configuration files.

Fortinet Acknowledges a New Attack Path

By January 23, Fortinet confirmed that attackers were exploiting an alternate authentication path that remained accessible even on fully patched systems. Fortinet CISO Carl Windsor acknowledged that compromises had occurred on devices running the most recent firmware versions.

Broader Impact on SAML-Based SSO

Although exploitation was only observed through FortiCloud SSO, Fortinet warned that the underlying issue could affect all SAML-based SSO implementations, not just its own cloud service.

Immediate Mitigation Measures

Fortinet advised customers to restrict administrative access and temporarily disable FortiCloud SSO. Simultaneously, the company began deploying server-side mitigations to contain the active attacks.

Timeline of Fortinet’s Response

On January 22, Fortinet disabled the FortiCloud accounts abused by attackers.
On January 26, FortiCloud SSO was disabled globally to prevent further exploitation.
On January 27, SSO access was restored with restrictions preventing vulnerable firmware from authenticating.

Formal Disclosure and CVE Assignment

Also on January 27, Fortinet published an official PSIRT advisory assigning CVE-2026-24858, rating it critical with a CVSS score of 9.4. The vulnerability was classified as an authentication bypass caused by improper access control.

How the Exploit Works

According to Fortinet, attackers with a FortiCloud account and a registered device could authenticate to other customers’ devices if FortiCloud SSO was enabled, effectively breaking tenant isolation.

Default Configuration Risks

While FortiCloud SSO is not enabled by default, it is automatically activated when a device is registered with FortiCare unless administrators manually disable it afterward.

Known Malicious Accounts and Indicators

Fortinet identified two malicious FortiCloud SSO accounts used in the attacks and locked them on January 22. The attackers created multiple standardized admin accounts and connected from a consistent set of IP addresses, later expanded by third-party intelligence.

Patch Status and Ongoing Investigation

Patches for FortiOS, FortiManager, and FortiAnalyzer remain in development. Fortinet is also investigating whether FortiWeb and FortiSwitch Manager are affected.

Recommended Response for Impacted Customers

Fortinet warns that any device showing these indicators should be treated as fully compromised. Administrators are advised to review all admin accounts, restore clean backups, and rotate all credentials immediately.

What Undercode Say:

A Trust Boundary Failure in Cloud-Managed Security

This incident highlights a recurring weakness in cloud-managed security products: overreliance on centralized identity systems without airtight tenant isolation. FortiCloud SSO effectively became a shared trust boundary, and once that boundary cracked, customer segmentation collapsed.

Fully Patched Does Not Mean Fully Safe

One of the most alarming aspects of CVE-2026-24858 is that it affected devices running the latest firmware. This undermines the conventional security narrative that staying fully patched is sufficient protection against known threats.

SSO as a High-Value Target

Single sign-on systems are attractive to attackers because they aggregate access across environments. When SSO fails, the blast radius is significantly larger than with traditional, device-local authentication flaws.

Automation Signals a Mature Threat Actor

Arctic Wolf’s observation that the attacks were automated suggests a well-prepared adversary. The speed at which admin accounts were created and configurations exfiltrated indicates pre-built tooling rather than opportunistic exploitation.

Reused Infrastructure and Naming Patterns

The consistent use of generic admin account names like backup, secadmin, and svcadmin points to standardized playbooks designed to blend into enterprise environments and avoid immediate detection.

Cloud Identity as an Attack Surface

This incident reinforces that cloud identity layers must be treated as exposed attack surfaces, not implicit security controls. Improper access control at this layer can bypass all downstream defenses.

Server-Side Mitigation as a Stopgap

Fortinet’s decision to implement server-side blocks was necessary and effective in the short term. However, it also underscores how much control cloud vendors wield over on-premises security behavior.

Default Enablement Increases Risk

Automatically enabling FortiCloud SSO during FortiCare registration introduces silent risk. Many organizations may not realize SSO is active, especially if it was not explicitly configured.

Broader Implications for SAML Deployments

Fortinet’s warning that the flaw could affect other SAML-based SSO implementations should not be ignored. Similar logic flaws may exist elsewhere, especially in hybrid cloud-on-prem authentication flows.

Detection and Response Gaps

Organizations that lack detailed logging or regular admin account audits may not notice such compromises until long after data has been exfiltrated or persistence established.

Patch Lag Creates Strategic Windows

With patches still in development, attackers have a window of opportunity to test variations of the exploit or adapt it to adjacent products.

Supply Chain Confidence Takes a Hit

Security vendors are expected to model best practices. When foundational authentication systems fail, customer confidence in the broader ecosystem is inevitably shaken.

Lessons for Security Architecture

Defense-in-depth must include independent authentication paths and strict validation between cloud and device-level identities. Shared identity shortcuts are convenient but dangerous.

The Cost of Implicit Trust

At its core, this incident is about implicit trust between cloud services and customer devices. Once attackers impersonated that trust, everything downstream became accessible.

A Warning Shot for 2026

CVE-2026-24858 sets an early tone for 2026: identity-centric attacks will continue to dominate, and cloud-linked infrastructure will remain a prime target.

Fact Checker Results

Exploitation Confirmed in the Wild

✅ Multiple customers and third-party researchers independently confirmed active exploitation.

Severity and Impact Assessment

✅ CVSS score of 9.4 aligns with observed administrative-level compromise.

Mitigation Status

❌ Full client-side patches are not yet available, leaving reliance on server-side controls.

Prediction

Short-Term Patch Rollout

🔧 Fortinet will release emergency patches within weeks to permanently close the alternate authentication path.

Increased Scrutiny of SSO Defaults

🔍 Enterprises will begin disabling cloud SSO features by default unless explicitly required.

Broader Industry Ripple Effect

⚠️ Other vendors using SAML-based hybrid SSO models will quietly audit their implementations following this disclosure.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon