Source: BleepingComputer
Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions.
What Happened
The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability (CVE-2025-59718).
Fortinet customers first reported compromised FortiGate firewalls on January 21, with attackers creating new local administrator accounts via FortiCloud SSO on devices running the latest available firmware. Cybersecurity firm Arctic Wolf confirmed the attacks appeared automated, with rogue admin accounts created and firewall configurations exfiltrated within seconds.
Technical Details
The vulnerability is an “Authentication Bypass Using an Alternate Path or Channel” caused by improper access control in FortiCloud SSO. Attackers with a FortiCloud account and a registered device could authenticate to other customers’ devices if FortiCloud SSO was enabled. Fortinet has rated this flaw as critical with a CVSS score of 9.4.
Indicators of Compromise
Fortinet confirmed the following malicious FortiCloud SSO accounts were used:
- cloud-noc@mail.io
- cloud-init@mail.io
Rogue admin accounts created by attackers include:
- audit, backup, itadmin, secadmin, support
- backupadmin, deploy, remoteadmin, security, svcadmin, system
Known attacker IP addresses:
- 104.28.244.115, 104.28.212.114, 104.28.212.115
- 104.28.195.105, 104.28.195.106, 104.28.227.106
- 104.28.227.105, 104.28.244.114
- 37.1.209.19, 217.119.139.50 (third-party observed)
Mitigation
Fortinet has disabled FortiCloud SSO globally for devices running vulnerable firmware. To manually disable SSO as an additional precaution:
config system global
set admin-forticloud-sso-login disable
endOrganizations detecting these IOCs should treat their devices as fully compromised, review all administrator accounts, restore configurations from known-clean backups, and rotate all credentials.
Patches are still in development for FortiOS, FortiManager, and FortiAnalyzer. Fortinet is also investigating whether FortiWeb and FortiSwitch Manager are affected.
