The Critical Fortinet FortiCloud SSO Authentication Bypass Vulnerability

Fortinet recently confirmed the existence of a critical vulnerability in FortiCloud’s single sign-on (SSO) authentication system, known as CVE-2026-24858. This vulnerability is actively exploited by attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even if those devices are fully patched against previously disclosed vulnerabilities.

The initial reports of compromised FortiGate firewalls on January 21 revealed that attackers were exploiting the FortiCloud SSO to create new local administrator accounts on devices running the latest firmware. This exploitation was initially believed to be a patch bypass for CVE-2025-59718, another critical FortiCloud SSO authentication bypass flaw that was patched in December 2025.

Fortinet administrators reported that hackers were accessing FortiGate devices via FortiCloud SSO using the email address cloud-init@mail.io and subsequently creating new local admin accounts. Logs shared by impacted customers showed similarities with indicators observed during the December exploitation.

Arctic Wolf, a cybersecurity firm, confirmed the attacks on January 22, noting that they appeared to be automated, with attackers creating rogue admin and VPN-enabled accounts and exfiltrating firewall configurations within seconds. The attack bore similarities to a previous campaign exploiting CVE-2025-59718 in December.

Fortinet’s Response and Mitigation

On January 23, Fortinet confirmed that attackers were exploiting an alternate authentication path that remained active even on fully patched systems. Fortinet’s Chief Information Security Officer, Carl Windsor, noted that devices running the latest firmware were compromised, indicating a new attack path in use.

While exploitation was primarily observed through FortiCloud SSO, Fortinet warned that the issue could also affect other SAML-based SSO implementations. As a mitigation measure, Fortinet advised customers to restrict administrative access to their devices and disable FortiCloud SSO.

Fortinet took immediate actions to mitigate the attacks while developing patches:

• On January 22, Fortinet disabled abused FortiCloud accounts.
• On January 26, Fortinet globally disabled FortiCloud SSO on the FortiCloud side to prevent further abuse.
• On January 27, FortiCloud SSO access was restored but restricted for devices running vulnerable firmware.

This server-side change effectively blocked exploitation, even if FortiCloud SSO remained enabled on affected devices. Fortinet assured customers that no client-side action was necessary until patches were released.

Fortinet published a formal PSIRT advisory on January 27, assigning CVE-2026-24858 to the vulnerability and rating it critical with a CVSS score of 9.4. The vulnerability, labeled “Authentication Bypass Using an Alternate Path or Channel,” stemmed from improper access control in FortiCloud SSO.

Fortinet confirmed that patches for FortiOS, FortiManager, and FortiAnalyzer are still in development. In the meantime, FortiCloud SSO is blocking logins from vulnerable devices, eliminating the need for administrators to disable the feature.

However, to prevent potential exploitation with other SAML SSO implementations, administrators may choose to temporarily disable the SSO feature by issuing a specific command.

Fortinet is also investigating whether FortiWeb and FortiSwitch Manager are affected by the vulnerability. Customers detecting the aforementioned compromise indicators in their logs are advised to treat their devices as fully compromised, review all administrator accounts, restore configurations from clean backups, and rotate all credentials.

Conclusion

The critical Fortinet FortiCloud SSO authentication bypass vulnerability poses a significant threat to organizations using Fortinet devices. Fortinet’s swift response and mitigation measures have helped safeguard against further exploitation, but vigilance and proactive security measures are essential to mitigate risks effectively.