Published on January 28, 2026
Fortinet blocks exploited FortiCloud SSO Zero Day Until Patch Is Ready
Severity
Critical
Fortinet has confirmed an actively exploited, critical authentication bypass vulnerability affecting FortiCloud Single Sign-On (SSO), tracked as CVE-2026-24858. The flaw allows attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices belonging to other customers through FortiCloud SSO, even when devices were fully patched.
| CVE Number | Description | CVSS Score (Severity) |
| CVE-2026-24858 | Classified as Authentication Bypass Using an Alternate Path or Channel and is caused by improper access control in FortiCloud SSO | 9.4 (Critical) |
An attacker with a FortiCloud account and a registered device could authenticate to other customers’ devices if FortiCloud SSO was enabled.
While FortiCloud SSO is not enabled by default, Fortinet notes that it is automatically enabled when a device is registered with FortiCare unless manually disabled.
Although exploitation has only been observed via FortiCloud SSO, Fortinet warned that the vulnerability applies to all SAML-based SSO implementations.
- January 21: Fortinet customers reported compromised FortiGate devices, with attackers creating new local administrator accounts via FortiCloud SSO on systems running the latest firmware.
- January 22: Arctic Wolf confirmed automated attacks creating rogue admin and VPN-enabled accounts and exfiltrating firewall configurations within seconds. Fortinet disabled FortiCloud accounts observed abusing the flaw.
- January 23: Fortinet confirmed attackers were exploiting an alternate authentication path that remained accessible even on fully patched systems.
- January 26: Fortinet globally disabled FortiCloud SSO on the server side.
- January 27: FortiCloud SSO access was restored with restrictions preventing vulnerable devices from authenticating via SSO. Fortinet published a PSIRT advisory assigning CVE-2026-24858.
Affected Version
This vulnerability was observed being actively exploited in the wild by two malicious FortiCloud accounts, which were disabled on January 22, 2026. To prevent further exploitation, Fortinet disabled FortiCloud SSO on the FortiCloud side on January 26, 2026. The service was re-enabled on January 27, 2026, with restrictions in place to block authentication attempts from devices running vulnerable firmware versions.
The following products and configurations are not impacted:
- FortiManager Cloud
- FortiAnalyzer Cloud
- FortiGate Cloud
The following product is currently under investigation:
- FortiSwitch Manager
| Version | Affected | Solution |
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
| FortiAnalyzer 6.4 | Not affected | Not Applicable |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.13 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
| FortiManager 6.4 | Not affected | Not Applicable |
| FortiOS 8.0 | Not affected | Not Applicable |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to upcoming 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to upcoming 7.0.19 or above |
| FortiOS 6.4 | Not affected | Not Applicable |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to upcoming 7.6.6 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to upcoming 7.4.13 or above |
| FortiProxy 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiWeb 8.0 | 8.0.0 through 8.0.3 | Upgrade to upcoming 8.0.4 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.6 | Upgrade to upcoming 7.6.7 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.11 | Upgrade to upcoming 7.4.12 or above |
| FortiWeb 7.2 | Not affected | Not Applicable |
| FortiWeb 7.0 | Not affected | Not Applicable |
Recommendation
Customers must upgrade to the latest supported versions listed in the table above in order for FortiCloud SSO authentication to function correctly.
FortiCloud SSO authentication no longer allows logins from devices running vulnerable firmware versions. As a result, disabling FortiCloud SSO on the client side is not required at this time to prevent exploitation.
For reference, administrators may still choose to manually disable FortiCloud SSO using the methods listed in https://fortiguard.fortinet.com/psirt/FG-IR-26-060.
IoC
Email Address
- cloud-noc@mail.io
- cloud-init@mail.io
IP Addresses
- 104.28.244.115
- 104.28.244.114
- 104.28.212.114
- 104.28.212.115
- 104.28.195.105
- 104.28.195.106
- 104.28.227.105
- 104.28.227.106
Malicious Local Administrator Accounts
- audit
- backup
- backupadmin
- deploy
- itadmin
- remoteadmin
- secadmin
- security
- support
- svcadmin
- system
Observed Attacker Activity
- Downloading customer configuration files
- Creating local administrator accounts to maintain persistent access
Source