Fortinet has confirmed that a critical FortiCloud Single Sign-On (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, is being actively exploited in the wild. In response, the company has temporarily blocked FortiCloud SSO logins from devices running vulnerable firmware while engineers finalize and distribute a permanent software patch.

What Is CVE-2026-24858?

CVE-2026-24858 is a critical authentication bypass flaw in the FortiCloud SSO feature used by multiple Fortinet products, including FortiOS, FortiManager, FortiAnalyzer, and potentially FortiProxy. This zero-day vulnerability allows attackers with a FortiCloud account and a registered device to authenticate into other customers’ devices if FortiCloud SSO is enabled.

Importantly, Fortinet notes that FortiCloud SSO is not enabled by default on new hardware—but it is automatically turned on if administrators register their device with FortiCare and do not explicitly disable the feature.

According to security analysts, the underlying issue centers on improper access control in the alternate authentication path FortiCloud uses for SSO, allowing adversaries to bypass the intended login checks.

Active Exploitation and Attack Behavior

Customers first noticed problems in mid-January when previously patched FortiGate firewalls began showing signs of compromise. In affected cases:

• Attackers logged in via FortiCloud SSO using accounts like [email protected] and [email protected].
• They created unauthorized local administrator accounts, often with names such as audit, itadmin, secadmin, or svcadmin.
• After gaining elevated access, the attackers made configuration changes and exfiltrated firewall configuration files. These files can include hashed credentials, network topology information, security policies, and other sensitive data.

In some incidents, threat actors even enabled VPN access for their rogue accounts to support ongoing access.

Before Fortinet blocked SSO, the attack activity appeared highly automated, with malicious sessions creating accounts and exporting configurations within seconds of initial access.

Relation to Previous FortiCloud SSO Flaws

This new zero-day looks related to earlier FortiCloud SSO issues patched in December 2025—specifically CVE-2025-59718 and CVE-2025-59719, which stemmed from improper verification of cryptographic signatures in SAML messages. Those issues allowed attackers to bypass authentication with malicious SAML assertions but were thought to be fixed.

However, fresh exploitation reported in January indicated a new attack path that was unaffected by those earlier patches. Fortinet confirmed that devices fully updated against the 2025 vulnerabilities were still compromised, underscoring the presence of a distinct zero-day—now tracked as CVE-2026-24858.

Immediate Response: Blocking FortiCloud SSO

To mitigate ongoing exploitation while patch development proceeds, Fortinet has taken several protective actions at the service level:

1. Disabled FortiCloud accounts being abused by attackers.
2. Globally disabled FortiCloud SSO traffic from vulnerable firmware versions.
3. On January 27, re-enabled FortiCloud SSO with restrictions so that only devices with updated, non-vulnerable firmware can authenticate via SSO.

This server-side block means that, for the moment, administrators do not need to disable the SSO feature client-side to avoid exploitation—provided they upgrade to fixed versions once they are available.

Indicators of Compromise (IOCs)

Fortinet and multiple incident response teams have identified several common indicators associated with the active exploitation of the FortiCloud SSO zero-day (CVE-2026-24858). Administrators are strongly advised to review logs and device configurations for the following signs of compromise.

Suspicious FortiCloud SSO Accounts

Attackers abused FortiCloud SSO to authenticate using email-based accounts that do not belong to the organization. Known malicious or suspicious account names observed in attacks include:

• [email protected]
• [email protected]
• Other unfamiliar FortiCloud-linked email addresses not tied to legitimate administrators

Any FortiCloud SSO login from an unknown email domain should be treated as high-risk.

Unauthorized Local Administrator Accounts

After successful authentication, attackers commonly created new local administrator accounts to maintain persistence. Frequently observed account names include:

• audit
• itadmin
• secadmin
• svcadmin
• Variants that resemble service or audit users

These accounts were often granted super_admin privileges and sometimes enabled for VPN access.

Configuration Changes and Data Exfiltration

Compromised devices showed evidence of rapid configuration access and export activity, including:

• Unauthorized firewall configuration exports
• Sudden creation or modification of:
  • Admin users
  • VPN settings
  • Firewall policies
• Log entries showing configuration downloads shortly after SSO login

Because FortiGate configuration files may contain hashed credentials, VPN secrets, network topology, and policy data, any unexpected export should be treated as a full device compromise.

Suspicious Login Events in Logs

Review system and event logs for:

• FortiCloud SSO logins from unexpected IP addresses
• Administrative logins occurring at unusual times
• Login activity immediately followed by:
  • Admin account creation
  • Configuration changes
  • VPN enablement

In many observed cases, malicious actions occurred within seconds of the initial SSO login, indicating automation.

Network and Management Exposure

Devices that were internet-exposed for management access were at higher risk. Indicators include:

• HTTPS or administrative access allowed from 0.0.0.0/0
• Management interfaces exposed on WAN interfaces
• No IP allow-listing for admin access

Recommended IOC Response Actions

If any of the above indicators are found:

1. Immediately disable FortiCloud SSO (if not already blocked by Fortinet).
2. Remove unauthorized administrator accounts.
3. Rotate all credentials, including VPN and admin passwords.
4. Restore configuration from a known clean backup.
5. Restrict management access to trusted IP addresses only.
6. Apply Fortinet’s official patch as soon as it becomes available.

Vendor Recommendations and Mitigations

Fortinet and industry responders urge customers to take the following steps:

• Install the forthcoming security updates for FortiOS, FortiManager, and FortiAnalyzer as soon as they are released.
• Restrict management access from the internet, using firewall policies to limit administrative traffic to trusted internal IP addresses.
• Optionally, temporarily disable FortiCloud SSO on devices until patched: config system global set admin-forticloud-sso-login disable end ``` :contentReference[oaicite:13]{index=13}
• Audit and remove any unexpected administrative accounts created during exploitation.
• Restore configurations from known clean backups and rotate credentials if compromise is suspected.

Broader Implications

Fortinet has warned that while only FortiCloud SSO exploitation has been observed so far, all SAML-based SSO implementations could theoretically be susceptible to similar bypass methods if not properly checked.