{"id":15561,"date":"2026-01-28T11:47:01","date_gmt":"2026-01-28T11:47:01","guid":{"rendered":"https:\/\/newestek.com\/?p=15561"},"modified":"2026-01-28T11:47:01","modified_gmt":"2026-01-28T11:47:01","slug":"critical-forticloud-sso-zero-day-forces-emergency-service-disablement-at-fortinet","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15561","title":{"rendered":"Critical FortiCloud SSO zero\u2011day forces emergency service disablement at Fortinet"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Fortinet has disclosed a critical authentication bypass zero-day vulnerability affecting its FortiCloud single sign-on feature after the company took the emergency step of temporarily disabling the cloud authentication service globally to stop active exploitation.<\/p>\n

The US Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog the same day.<\/p>\n

The vulnerability, tracked as CVE-2026-24858<\/a>, is the second critical FortiCloud SSO flaw Fortinet has addressed in recent weeks. The company patched two similar authentication bypass vulnerabilities<\/a>, CVE-2025-59718 and CVE-2025-59719, in December.<\/p>\n

CVE-2026-24858 allowed attackers to compromise FortiGate firewalls, FortiManager, and FortiAnalyzer devices even when those systems were running the latest available firmware. Customers first reported breaches on January 20 and 21, with attackers creating new local administrator accounts on fully patched devices, Fortinet said in its advisory<\/a>.<\/p>\n

Fortinet has begun releasing patches for affected products, but most fixed versions are still listed as \u201cupcoming\u201d in the company\u2019s advisory. The company released FortiOS 7.4.11 to address the vulnerability, with additional patched versions expected shortly.<\/p>\n

\u201cThis vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on January 22,\u201d the advisory added.<\/p>\n

How the vulnerability works<\/h2>\n

CVE-2026-24858 is \u201can authentication bypass using an alternate path or channel vulnerability\u201d affecting FortiOS, FortiManager, and FortiAnalyzer, according to Fortinet\u2019s advisory. The flaw carries a CVSS score of 9.4.<\/p>\n

The vulnerability \u201cmay allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,\u201d Fortinet said in the advisory.<\/p>\n

While FortiCloud SSO is not enabled in factory default settings, it automatically activates when administrators register devices to FortiCare through the GUI unless they manually disable the \u201cAllow administrative login using FortiCloud SSO\u201d toggle during registration.<\/p>\n

Fortinet noted that while exploitation has only been observed through FortiCloud SSO, \u201cthis issue is applicable to all SAML SSO implementations.\u201d<\/p>\n

Attack details and indicators<\/h2>\n

Fortinet\u2019s investigation into the exploitation revealed attackers used two specific FortiCloud accounts: \u201ccloud-noc@mail.io\u201d and \u201ccloud-init@mail.io,\u201d though the company warned \u201cthese addresses may change in the future.\u201d<\/p>\n

Fortinet identified multiple IP addresses associated with the attacks, including several Cloudflare-protected addresses that attackers used to obscure their activities.<\/p>\n

\u201cFollowing authentication via SSO, it has been observed that the actor creates a local admin account with one of the following names,\u201d Fortinet warned, listing accounts including \u201caudit,\u201d \u201cbackup,\u201d \u201citadmin,\u201d \u201csecadmin,\u201d \u201csupport,\u201d and \u201csystem.\u201d<\/p>\n

The attackers\u2019 main operations focused on downloading customer configuration files and creating persistent admin accounts.<\/p>\n

Emergency cloud-side shutdown<\/h2>\n

In response to the active exploitation, Fortinet disabled FortiCloud SSO across its entire cloud infrastructure on January 26 to protect customers from further attacks.<\/p>\n

The feature was re-enabled 24 hours later with a critical safeguard. \u201cIt was re-enabled on January 27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions listed below for the FortiCloud SSO authentication to function,\u201d Fortinet explained.<\/p>\n

This server-side blocking means organizations running vulnerable versions cannot use FortiCloud SSO until they upgrade to patched releases, even though most of those patches are not yet available.<\/p>\n

Affected products and patch status<\/h2>\n

The vulnerability affects FortiOS, FortiManager, FortiAnalyzer, and FortiProxy versions 7.0 through 7.6. Version 6.4 releases are not affected. Fortinet said it is still investigating whether FortiWeb and FortiSwitch Manager are also vulnerable.<\/p>\n

Fortinet\u2019s advisory lists most patched versions as \u201cupcoming,\u201d with FortiOS 7.4.11 appearing to be the only released fix so far. The company\u2019s upgrade tool provides recommended upgrade paths once patches become available.<\/p>\n

Federal deadline and immediate actions<\/h2>\n

CISA\u2019s addition<\/a> of CVE-2026-24858 to the KEV catalog means federal civilian executive branch agencies must patch affected systems by February 17, 2026, or discontinue use of vulnerable products. The agency said the vulnerability \u201cis a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.\u201d <\/p>\n

The company noted that \u201cdisabling FortiCloud SSO login on client side is not necessary at the moment,\u201d though organizations can disable the feature locally through System Settings or CLI commands if desired.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Fortinet has disclosed a critical authentication bypass zero-day vulnerability affecting its FortiCloud single sign-on feature after the company took the emergency step of temporarily disabling the cloud authentication service globally to stop active exploitation. The US Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog the same day. The vulnerability, tracked as CVE-2026-24858, is the second critical FortiCloud SSO flaw… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15561","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15561"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15561\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}