Fortinet has disclosed a critical authentication bypass zero-day vulnerability affecting its FortiCloud single sign-on feature after the company took the emergency step of temporarily disabling the cloud authentication service globally to stop active exploitation.
The US Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog the same day.
The vulnerability, tracked as CVE-2026-24858, is the second critical FortiCloud SSO flaw Fortinet has addressed in recent weeks. The company patched two similar authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, in December.
CVE-2026-24858 allowed attackers to compromise FortiGate firewalls, FortiManager, and FortiAnalyzer devices even when those systems were running the latest available firmware. Customers first reported breaches on January 20 and 21, with attackers creating new local administrator accounts on fully patched devices, Fortinet said in its advisory.
Fortinet has begun releasing patches for affected products, but most fixed versions are still listed as “upcoming” in the company’s advisory. The company released FortiOS 7.4.11 to address the vulnerability, with additional patched versions expected shortly.
“This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on January 22,” the advisory added.
How the vulnerability works
CVE-2026-24858 is “an authentication bypass using an alternate path or channel vulnerability” affecting FortiOS, FortiManager, and FortiAnalyzer, according to Fortinet’s advisory. The flaw carries a CVSS score of 9.4.
The vulnerability “may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” Fortinet said in the advisory.
While FortiCloud SSO is not enabled in factory default settings, it automatically activates when administrators register devices to FortiCare through the GUI unless they manually disable the “Allow administrative login using FortiCloud SSO” toggle during registration.
Fortinet noted that while exploitation has only been observed through FortiCloud SSO, “this issue is applicable to all SAML SSO implementations.”
Attack details and indicators
Fortinet’s investigation into the exploitation revealed attackers used two specific FortiCloud accounts: “[email protected]” and “[email protected],” though the company warned “these addresses may change in the future.”
Fortinet identified multiple IP addresses associated with the attacks, including several Cloudflare-protected addresses that attackers used to obscure their activities.
“Following authentication via SSO, it has been observed that the actor creates a local admin account with one of the following names,” Fortinet warned, listing accounts including “audit,” “backup,” “itadmin,” “secadmin,” “support,” and “system.”
The attackers’ main operations focused on downloading customer configuration files and creating persistent admin accounts.
Emergency cloud-side shutdown
In response to the active exploitation, Fortinet disabled FortiCloud SSO across its entire cloud infrastructure on January 26 to protect customers from further attacks.
The feature was re-enabled 24 hours later with a critical safeguard. “It was re-enabled on January 27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions listed below for the FortiCloud SSO authentication to function,” Fortinet explained.
This server-side blocking means organizations running vulnerable versions cannot use FortiCloud SSO until they upgrade to patched releases, even though most of those patches are not yet available.
Affected products and patch status
The vulnerability affects FortiOS, FortiManager, FortiAnalyzer, and FortiProxy versions 7.0 through 7.6. Version 6.4 releases are not affected. Fortinet said it is still investigating whether FortiWeb and FortiSwitch Manager are also vulnerable.
Fortinet’s advisory lists most patched versions as “upcoming,” with FortiOS 7.4.11 appearing to be the only released fix so far. The company’s upgrade tool provides recommended upgrade paths once patches become available.
Federal deadline and immediate actions
CISA’s addition of CVE-2026-24858 to the KEV catalog means federal civilian executive branch agencies must patch affected systems by February 17, 2026, or discontinue use of vulnerable products. The agency said the vulnerability “is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
The company noted that “disabling FortiCloud SSO login on client side is not necessary at the moment,” though organizations can disable the feature locally through System Settings or CLI commands if desired.