Fortinet Warns of Critical Flaw After FortiCloud SSO Exploitation
Fortinet is rolling out updates for CVE-2026-24858, with fixes for some versions available as of Tuesday, and others in releases that are upcoming at an unspecified date.
Fortinet is rolling out fixes for a critical authentication bypass flaw in FortiOS, FortiManager, and FortiAnalyzer, which has been exploited in the wild by threat actors.
The flaw (CVE-2026-24858) could allow attackers with a FortiCloud account and registered device to log into other devices that are registered to other accounts. FortiCloud SSO authentication must be enabled on those devices, and this feature is not enabled by default. However, Fortinet warned that if an administrator registers a device to FortiCare from its GUI, the feature is enabled on registration (unless an administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page).
Fortinet said the flaw was seen exploited in the wild by two malicious FortiCloud accounts, which were locked out on Jan. 22.
“In order to protect its customers from further exploit, Fortinet disabled FortiCloud SSO on FortiCloud side on 2026-01-26,” according to Fortinet in its advisory on Tuesday. “It was re-enabled on 2026-01-27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions… for the FortiCloud SSO authentication to function.”
The Tuesday advisory came after a December advisory from Fortinet related to two FortiCloud SSO bypass flaws (CVE-2025-59718 and CVE-2025-59719) after a “small number of customers reported unexpected login activity occurring on their devices.” Fortinet had said that it had found cases where devices were fully upgraded to the latest release in these incidents, suggesting a new attack path.
The flaw was added on Tuesday to CISA’s Known Exploited Vulnerabilities catalog. According to CISA, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
The flaw exists in the following versions of FortiAnalyzer, FortiManager, and FortiOS:
- FortiAnalyzer 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15
- FortiManager 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15
- FortiOS 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18
Fortinet is rolling out updates, with fixes for some versions available as of Tuesday, and others in releases that are upcoming at an unspecified date. More details can be found in Fortinet’s advisory. In terms of workarounds, Fortinet said “FortiCloud SSO authentication no longer supports login from devices running vulnerable versions… therefore disabling FortiCloud SSO login on client side is not necessary at the moment.”
Fortinet also released IoCs in its Tuesday advisory, including SSO login user accounts linked to the actor and IP addresses.
Recent Comments
No comments to show.