Critical FortiCloud SSO Vulnerability Confirmed by Fortinet (CVE-2026-24858) In the wild, actively exploited

Fortinet has verified that its FortiCloud SSO feature has a critical authentication bypass vulnerability that is being actively exploited in the wild under CVE-2026-24858. The vulnerability impacts FortiOS, FortiManager, FortiAnalyzer, and FortiProxy, according to an advisory released on January 27, 2026. It is caused by incorrect access control (CWE-288) in the GUI component and has a CVSSv3 score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

If FortiCloud SSO is enabled, attackers with a registered device and a FortiCloud account can access other devices linked to separate accounts. Interestingly, unless administrators specifically disable the "Allow administrative login using FortiCloud SSO" toggle, this feature is enabled during FortiCare registration from the GUI.

Details of Exploitation and Threat Actor Activity On January 22, 2026, Fortinet discovered that two malicious FortiCloud accounts were being exploited. The vendor disabled FortiCloud SSO on the cloud side on January 26, reenabled it the following day, and is currently preventing logins from vulnerable versions in order to protect customers. Attackers created persistent local admin accounts and downloaded customer configuration files for reconnaissance after authentication.

Config exfiltration and admin privilege escalation are key operations. Fortinet advises checking all admin accounts for irregularities. FortiWeb and FortiSwitch Manager are among the products being examined. Upgrades must be made immediately.

An upgrade path tool is offered by Fortinet.

A table of the impacted versions is shown below: Versions Affected by the Product FortiAnalyzer Solution 7.6 7.6.0 to 7.6.5 Update FortiAnalyzer 7.4 7.4.0 through 7.4.9 to version 7.6.6 or higher. Update FortiAnalyzer 7.2 7.2.0 through 7.2.11 to version 7.4.10 or higher. Update FortiAnalyzer 7.0 7.0.0 through 7.0.15 to version 7.2.12 or higher.

Update FortiAnalyzer to version 7.0.16 or higher. 6.4 Unaffected N/A FortiManager 7.6 7.6.0–7.6.5 Upgrade FortiManager 7.4 7.4.0 through 7.4.9 to 7.6.6 or higher. Upgrade to 7.4.10 or above FortiManager 7.2 7.2.0 through 7.2.11 Upgrade to 7.2.13 or above FortiManager 7.0 7.0.0 through 7.0.15 Upgrade to 7.0.16 or above FortiManager 6.4 Not affected N/A FortiOS 7.6 7.6.0 through 7.6.5 Upgrade to 7.6.6 or above FortiOS 7.4 7.4.0 through 7.4.10 Upgrade to 7.4.11 or above FortiOS 7.2 7.2.0 through 7.2.12 FortiOS 7.0 7.0.0 through 7.0.18 Upgrade to 7.2.13 or higher Update FortiOS 6.4 to 7.0.19 or higher. FortiProxy 7.6 7.6.0 through 7.6.4 is unaffected.

Update FortiProxy 7.4 7.4.0 through 7.4.12 to 7.6.6 or higher. Update to version 7.4.13 or higher All versions of FortiProxy 7.2 Change to a fixed release All versions of FortiProxy 7.0 For threat hunting, switch to fixed release Indicators of Compromise Fortinet shared IoCs.

Look for these indications of compromise in the logs: Enter cloud-noc@mail[. ]io or cloud-init@mail[. ]io for IoC Value SSO Login Accounts.

IP addresses 104.28.244 [. ]115 104.28.212 [. ]114 104.28.212 [. ]115 104.28.195 [.

]105 104.28.195 [. ]106 104.28.227 [. ]106 104.28.227 [. ]105 104.28.244 [.

]114 37.1.209 [. ]19 217.119.139 [. ]50 Malicious Local Accounts Actors moved to IPs protected by Cloudflare; emails might change after neutralization. Mitigations FortiCloud SSO now rejects susceptible devices, but if necessary, turn it off locally: Textconfig system global set admin-forticloud-sso-login disable end for FortiOS/FortiProxy CLI FortiManager/FortiAnalyzer CLI: textconfig system saml set forticloud-sso disable end GUI paths: System > Settings (toggle off) or System Settings > SAML SSO.

Following confirmation of the active exploitation of a zero-day authentication bypass vulnerability in several products, Fortinet temporarily disabled its FortiCloud Single Sign-On (SSO) service. For daily cybersecurity updates, see LinkedIn and X.

To have your stories featured, get in touch with us.