Fortinet has confirmed that a critical zero-day vulnerability in its FortiCloud single sign-on (SSO) service — tracked as CVE-2026-24858 — is being actively exploited in the wild. Rather than leave customers exposed while a full patch is developed, Fortinet has taken emergency protective action to mitigate attacks.

What Happened?

Earlier in January 2026, Fortinet customers began reporting suspicious activity on FortiGate firewalls, where attackers were using FortiCloud SSO to gain administrative access and create new local admin accounts. These incidents followed a prior exploitation campaign in late 2025 involving critical FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719).

While the original flaws were patched in December 2025, recent attacks showed a new attack path that allowed malicious actors to bypass authentication even on fully patched devices — raising significant concern across the security community.

The Threat: What Attackers Are Doing

Malicious actors exploiting this vulnerability can:

  • Bypass FortiCloud SSO authentication without valid credentials

  • Gain administrator-level access to Fortinet devices

  • Create persistent local administrator accounts

  • Exfiltrate configuration files and potentially expose network setup and credentials

  • Enable unauthorized services like VPN access for persistence

Observed attacks have involved automated SSO logins using generic FortiCloud accounts such as [email protected] and [email protected], followed by rapid configuration changes and data exfiltration.

Security researchers have noted that this abuse mirrors past campaigns that exploited similar FortiCloud SSO bypass flaws, underlining the ongoing risk associated with authentication bypass vulnerabilities in critical infrastructure devices.

Fortinet’s Mitigation: Blocking the Exploit

To protect customers while the new patch is finalized, Fortinet has taken the unusual step of blocking FortiCloud SSO connections from devices with vulnerable firmware versions at the service level. This action effectively prevents exploitation without requiring individual administrators to disable features immediately.

Key mitigations and responses include:

  • Blocking FortiCloud SSO access for vulnerable devices until patches are available

  • Disabling FortiCloud accounts being abused by attackers

  • Restoring FortiCloud SSO with restrictions to prevent further abuse

  • Advising administrators to restrict remote administrative access

  • Optional: disabling FortiCloud SSO on devices that don’t need it as a precaution

  • Monitoring for indicators of compromise (IoCs) and unauthorized activity

Fortinet has also published a formal PSIRT advisory detailing the vulnerability and defensive measures.

What Administrators Should Do Now

Even with server-side blocks in place, security teams must remain vigilant. Recommended steps include:

✔ Review Administrative Access Policies
Ensure that access to Fortinet devices is limited and not exposed broadly on the internet.

✔ Monitor Logs Closely
Look for unusual administrative logins, especially via SSO or unexpected account creation activity.

✔ Disable FortiCloud SSO Where Appropriate
If the feature isn’t essential, disabling FortiCloud SSO can eliminate the attack surface — at least until the official patch is released.

✔ Prepare to Update Firmware Once Patches Are Available
Apply the forthcoming FortiOS, FortiManager, and FortiAnalyzer patches as soon as they are released.

✔ Review All Configurations After an Incident
If compromise is suspected, assume device integrity is impacted — perform forensic review, restore configurations from known clean backups, and rotate credentials.

Broader Security Implications

This zero-day incident underscores a broader truth in modern cybersecurity: authentication mechanisms like SSO, while convenient, significantly widen the attack surface when poorly implemented or improperly validated. Security professionals must balance usability with risk and ensure that authentication integrations (especially cloud-based SSO) are paired with strong network protections and monitoring.

Give Equal Technology Solutions a Call Today and We can Assist!