Critical Fortinet FortiCloud SSO Authentication Bypass Under Active Exploitation (CVE-2026-24858)

Published: Wed 28 January 2026

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

Fortinet has disclosed a Critical authentication bypass vulnerability impacting FortiOS, FortiManager, FortiAnalyzer, and FortiProxy, tracked as CVE-2026-24858 (CVSS 9.4), after observation of active exploitation targeting FortiCloud SSO administrative logins.

CISA has added CVE-2026-24858 to the Known Exploited Vulnerabilities (KEV) catalog on 27 Jan 2026 with a remediation due date of 30 Jan 2026.

Vendor patches are still being finalised; in the interim, Fortinet has deployed FortiCloud-side controls that prevent vulnerable versions from authenticating via FortiCloud SSO.

Vulnerability details

CVE-2026-24858 is an authentication bypass via an alternate path/channel (CWE-288) affecting Fortinet’s FortiCloud SSO administrative login. In practical terms, if FortiCloud SSO admin login is enabled on a device, an attacker who already has their own FortiCloud account and a registered device may be able to authenticate to other customers’ devices registered to different FortiCloud accounts.

This activity is closely related to the December 2025 FortiCloud SSO vulnerabilities (CVE-2025-59718 and CVE-2025-59719) because it targets the same overall surface: administrative authentication via FortiCloud SSO / SAML SSO. However, Fortinet and third-party tracking describe CVE-2026-24858 as a new issue rather than a patch bypass, and it has reportedly been used against environments believed to be fully patched for the December 2025 CVEs. Mechanically, the earlier vulnerabilities were described as unauthenticated crafted SAML / signature verification flaws, whereas CVE-2026-24858 hinges on attacker-controlled FortiCloud identity and device registration, and appears to enable cross-tenant authentication when FortiCloud SSO is enabled.

FortiCloud SSO admin login is not enabled by default, but it can be inadvertently switched on during FortiCare registration from the device GUI unless administrators explicitly disable the “Allow administrative login using FortiCloud SSO” toggle. As part of its response, Fortinet has also blocked FortiCloud SSO admin logins from vulnerable (unpatched) versions on the FortiCloud side. Fortinet’s investigation is also still evolving, with FortiWeb and FortiSwitch Manager noted as products under investigation for potential impact.

Affected products / versions

Fortinet’s FG-IR-26-060 advisory lists the following products and versions as potentially vulnerable:

Impact

Successful exploitation of CVE-2026-24858 may allow an attacker with a FortiCloud account and a registered device to bypass administrative FortiCloud SSO authentication on affected Fortinet products where FortiCloud SSO admin login is enabled. This can result in administrative access to targeted devices, including those registered to other FortiCloud accounts, and may lead to:

• Full compromise of affected Fortinet platforms (firewalls, management and analytics systems, and proxies).
• Unauthorised configuration changes, including security policies, VPN settings, routing, logging and inspection behaviour.
• Theft of sensitive configuration data (e.g., VPN configuration, credentials stored on-device, certificates/keys where accessible, and network topology information).
• Persistence via creation of new local administrator accounts, enabling ongoing access even if the initial SSO access path is later constrained.
• Follow-on intrusion activity, including lateral movement into internal networks using trusted network positioning and harvested configuration intelligence.

Unlike the December 2025 FortiCloud SSO vulnerabilities, Fortinet has confirmed active exploitation in the wild for this issue, with observed attacker activity including configuration download and local admin account creation. Fortinet’s investigation remains ongoing and further details (including additional affected products and indicators) may be published as the situation develops.

Mitigation actions

Apply vendor remediation (priority)

• Identify exposure: inventory Fortinet devices (FortiOS, FortiManager, FortiAnalyzer, FortiProxy) and determine whether “Allow administrative login using FortiCloud SSO” was enabled.
• Upgrade where fixed releases are available: Fortinet has indicated several fixed builds are upcoming. Plan upgrades as soon as the relevant fixed versions are released for your product line.
• Use the Fortinet Upgrade Tool to follow supported upgrade paths and avoid unsupported upgrade hops:
  https://docs.fortinet.com/upgrade-tool/fortigate

FortiCloud SSO controls (risk reduction)

• Fortinet has implemented FortiCloud-side controls which prevent vulnerable versions from using FortiCloud SSO administrative login. In practice, this means FortiCloud SSO authentication may already be blocked on vulnerable devices.
• If FortiCloud SSO admin login is not required, disable it locally to reduce exposure and simplify assurance.

Disable via GUI:

System → Settings → Allow administrative login using FortiCloud SSO → Off

Disable via CLI:

config system global

   set admin-forticloud-sso-login disable

end

Harden management access

• Restrict management interfaces to trusted admin networks / VPN only (avoid direct Internet exposure).
• Enforce strong MFA for administrative access wherever supported (FortiCloud, IdP, and local admin workflows).
• Apply least privilege / RBAC for Fortinet administration, and minimise the number of admin accounts.
• Review and secure SAML / Identity Provider configurations used for administrative access, and confirm FortiCloud SSO is only enabled where there is a clear operational requirement.

Detection capabilities

Logging & telemetry

Ensure Fortinet device logs (FortiOS/FortiProxy/FortiManager/FortiAnalyzer), authentication logs, and (where applicable) Identity Provider / SAML logs are forwarded to a SIEM or central monitoring platform. Focus on retaining:

• Administrator authentication events (especially FortiCloud SSO / SAML SSO logins)
• Administrative actions / configuration changes
• System events and account management events (new users, role changes)
• Configuration export / download events (where logged)

Indicators of compromise (IOCs)

Known FortiCloud SSO login user accounts (observed)

• cloud-noc@mail.io (Fortinet reports this account was disabled/locked out as part of their response.)
• cloud-init@mail.io (Fortinet reports this account was disabled/locked out as part of their response.)

Note: Fortinet also notes these addresses may change over time. Treat them as “known bad,” not exhaustive, and continue hunting for unexpected FortiCloud SSO admin logins and follow-on activity.

Observed source IP addresses (Fortinet)

• 104.28.244.115
• 104.28.212.114
• 104.28.212.115
• 104.28.195.105
• 104.28.195.106
• 104.28.227.106
• 104.28.227.105
• 104.28.244.114
  Note: Fortinet reports the actor appears to have used Cloudflare-protected IPs.

Additional IPs observed by third parties (not Fortinet)

• 37[.]1.209.19
• 217[.]119.139.50

Suspicious local admin account names observed (post-SSO login)

• audit
• backup
• itadmin
• secadmin
• support
• backupadmin
• deploy
• remoteadmin
• security
• svcadmin
• system
  Note: Fortinet reports naming changed over time; review all admin accounts for unexpected additions.

Hunt guide (recommended queries / patterns)

• Review FortiCloud SSO / SAML SSO admin logins for anomalies (new/unusual source IPs, odd times, atypical accounts) and any immediate privileged actions afterwards.

• Alert on known-bad SSO accounts (cloud-noc@mail.io, cloud-init@mail.io) and treat any hits as a rapid triage trigger (review source IP + follow-on changes).

• Look for the common attack chain: SSO admin login → config access/export → new local admin created.

• Monitor for persistence and tampering: unexpected admin accounts, privilege escalations/resets, and high-risk configuration changes (SSO/auth settings, management exposure, VPN, logging).

• Use reported IPs as pivots, not proof: an IP hit is a lead—confirm it lines up with SSO admin login + follow-on actions, as IPs may be Cloudflare-fronted/rotating.

• Look for unusual outbound connections from the management plane around suspicious SSO admin logins (even small/short HTTPS sessions may indicate configuration or account data being retrieved or sent).

If compromise is suspected

• Isolate suspected devices from the network.
• Review admin accounts and configuration history for unauthorised changes.
• Restore from known-good backups and upgrade to fixed firmware when available.
• Rotate credentials (local admins, directory/IdP, VPN creds, API keys) and consider broader environment threat hunting for lateral movement.

MDR customers: Triskele Labs is actively tuning detections for behaviour consistent with exploitation of CVE-2026-24858 and related Fortinet authentication bypass activity across supported log sources.

Vulnerability Management customers: Environments are being assessed for vulnerable Fortinet versions; any exposure will be communicated through priority channels.

References

• https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios

• https://www.fortiguard.com/psirt/FG-IR-26-060

• https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/

• https://www.cisa.gov/news-events/alerts/2026/01/27/cisa-adds-one-known-exploited-vulnerability-catalog

• https://docs.fortinet.com/upgrade-tool/fortigate

• https://www.rapid7.com/blog/post/etr-critical-vulnerabilities-in-fortinet-cve-2025-59718-cve-2025-59719-exploited-in-the-wild/