Fortinet verified that a wave of malicious logins via FortiCloud's single sign-on (SSO) feature was caused by a new zero-day vulnerability that was being exploited. CVE-2026-24858, a critical authentication bypass vulnerability with a CVSS score of 9.8 that impacts FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb, was revealed by the cybersecurity vendor on Tuesday. An attacker can use the FortiCloud SSO authentication feature to gain access to a device by exploiting the vulnerability, according to Fortinet's advisory.

To put it briefly, if SSO is enabled on the device, a threat actor with a registered Fortinet device and an active FortiCloud account could use the vulnerability to log into another user's device as if it were their own.

Fortinet pointed out that, fortunately, devices do not have the FortiCloud SSO login feature enabled by default. 26 to temporarily disable the FortiCloud SSO feature for all accounts and devices in order to prevent the malicious logins. Associated: Vulnerabilities Danger to the Chainlit AI Architecture On January 27, Fortinet reactivated the feature; however, devices running versions susceptible to CVE-2026-24858 are no longer able to log in.

"Therefore disabling FortiCloud SSO login on client side is not necessary at the moment," the advisory said. Customers were advised by Fortinet to update all FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb devices to fixed versions.