Fortinet Warns of Actively Exploited FortiCloud SSO Flaw (CVE-2026-24858)

The FortiCloud Single Sign-On (SSO) feature has an authentication bypass vulnerability that has been actively exploited in the wild, according to an urgent security advisory This article explores forticloud sso activated. . Several Fortinet products, including FortiOS, FortiManager, FortiAnalyzer, and FortiProxy, are impacted by the vulnerability, which is tracked as CVE-2026-24858.

Vulnerability in Critical Authentication Bypass An authentication bypass via a different path or channel is the source of the vulnerability (CWE-288). If FortiCloud SSO authentication is enabled on those target devices, it enables attackers with a FortiCloud account and a registered device to obtain unauthorized access to other devices registered under different accounts. FortiCloud SSO is activated when administrators register their devices with FortiCare through the device's graphical user interface, even though it is not enabled by default in factory settings.

Unless administrators specifically turn off the “Allow administrative login using FortiCloud SSO” toggle during registration, the SSO feature remains enabled, creating a potential attack vector. Fortinet's Reaction to Active Exploitation Fortinet found that two malicious FortiCloud accounts were actively taking advantage of the vulnerability. On January 22, 2026, the company acted quickly and locked out the suspicious accounts.

On January 26, 2026, Fortinet temporarily disabled FortiCloud SSO on the FortiCloud side to prevent further exploitation of customers. On January 27, 2026, the service was reinstated with improved security. Organizations are essentially forced to upgrade to patched versions in order to restore SSO functionality since the re-enabled FortiCloud SSO no longer supports login attempts from devices running vulnerable versions. This vulnerability impacts multiple Fortinet product lines.

The impacted FortiOS versions are 7.0.0 through 7.0.18, 7.2.0 through 7.2.12, 7.4.0 through 7.4.10, and 7.6.0 through 7.6.5. Similar version impacts are experienced by FortiManager and FortiAnalyzer in their 7.0, 7.2, 7.4, and 7.6 branches. Additionally, FortiProxy versions 7.0 through 7.6.4 are susceptible.

Notably, none of the impacted products are affected by FortiOS 8.0 or version 6.4. Fortinet has made patches available for a number of versions, including FortiOS 7.4.11, FortiManager 7.4.10, and FortiAnalyzer 7.4.Ten. Additional patches for other affected versions are forthcoming. The company advises customers to use their upgrade tool at docs.fortinet.com/upgrade-tool to follow the recommended upgrade path, as reported by Fortiguard.

The threat actors demonstrated sophisticated tactics during exploitation.

Attackers created local administrator accounts with names intended to blend in with authentic system accounts after SSO authentication was successful. The following account names have been noted: "audit," "backup," "itadmin," "secadmin," "support," "deploy," "remoteadmin," and "svcadmin." Downloading customer configuration files and establishing persistent access through the creation of administrative accounts were the attackers' main goals.

To hide their actions, the threat actors switched to Cloudflare-protected infrastructure and used multiple IP addresses.

Compromise Indicators Description of IOC Type Value Cloud-noc@mail.io is the email address. Cloud-init@mail.io is the malicious SSO login account. SSO login account that is malicious 104.28.244.115 IP address An attacker protected by Cloudflare IP address 104.28.212.114 An attacker protected by Cloudflare IP Address: 104.28.212.115 An attacker protected by Cloudflare IP.

104.28.195.105 IP address An attacker protected by Cloudflare IP. 104.28.195.106 IP address An attacker protected by Cloudflare IP address 104.28.227.106 An attacker protected by Cloudflare IP Address: 104.28.227.105 An attacker protected by Cloudflare IP. 104.28.244.114 IP address Attacker IP protected by Cloudflare IP Address 37.1.209.19 Third-party observed attacker IP IP Address 217.119.139.50 Third-party observed attacker IP Organizations should immediately review their Fortinet devices for unauthorized administrator accounts, check logs for connections from the listed IP addresses, and prioritize upgrading to patched versions.

Administrators can manually disable FortiCloud SSO in system settings or through CLI commands as an extra precaution, even though the feature has been secured server-side.

The threat actors demonstrated sophisticated tactics during exploitation.

To hide their actions, the threat actors switched to Cloudflare-protected infrastructure and used multiple IP addresses.

Administrators can manually disable FortiCloud SSO in system settings or through CLI commands as an extra precaution, even though the feature has been secured server-side.

Fortinet Warns of Actively Exploited FortiCloud SSO Flaw (CVE-2026-24858)

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026

Fortinet Warns of Actively Exploited FortiCloud SSO Flaw (CVE-2026-24858)

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026