Hackers armed with just their own Fortinet cloud account could bypass authentication and login to other customers accounts if they had Single Sign-On (SSO) enabled – in an extraordinary and exploited security failing.

Attackers have been abusing the SSO bypass vulnerability to create administrator accounts on other Fortinet customers’ systems for persistence – launching the attacks from a pair of their own FortiCloud accounts.

CVE-2026-24858: What, what the…?

Fortinet admitted in a January 27 security advisory that the vulnerability, allocated CVE-2026-24858, was an “unauthenticated bypass of SSO login authentication” – it said it had only seen exploitation of FortiCloud SSO [but] the “issue is applicable to all [Fortinet] SAML SSO implementations.” 

That means an attacker could bypass authentication for FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices to login and run code. 

Fortinet describes FortiCloud as its “platform for delivering security and security management services.” FortiCloud SSO is not enabled by default. 

But Fortinet said in its security advisory that when a device is registered with EXPLAiner FortiCare it automatically turns on and remains on, unless manually disabled afterward.

Security firm Arctic Wolf said on January 21 it had seen attacks since at least January 15, with the attackers creating “generic accounts intended for persistence” and making “configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations…”

The vulnerability comes weeks after Fortinet fixed a brace of other FortiCloud SSO bypass bugs: CVE-2025-59718 and CVE-2025-59719 (which its internal product security team spotted). Exploitation comes, seemingly, after an attacker promptly spotted an exploitable bypass of those fixes. 

The news will infuriate CISOs already deeply frustrated with the risk being introduced to their systems by software and hardware procured to secure them – not expose them to attack. (The Stack is aware of one CISO in one of the world’s largest institutions whose team is proactively investigating the code quality in regularly exploited appliances like Fortinet and Ivanti… Analysis by Eclypsium of an Ivanti system back in 2024 revealed it was built on massively outdated software with over 900 CVEs in its codebase.)

Fortinet briefly completely disabled SSO for all customers, before removing the malicious tenants and pushing an initial fix.

It’s shared a handful of IOCs here.

"If IOCs are identified in the system, Fortinet recommends treating the system and configuration as compromised and taking the following cleanup actions:

  • Ensure your device is running the latest firmware version. It is recommended to run the latest release (7.6) where possible to take advantage of the latest security features.
  • Restore your configuration with a known clean version or audit for any unauthorized changes. Pay particular attention to unexpected administrators or VPN configuration or accounts.
  • Treat configuration as compromised and follow the guidance below to rotate credentials, including any LDAP/AD accounts that may be connected to the FortiGate devices.

CISA has added nine Fortinet vulnerabilities to its “known exploited catalog” KEV over the past 12 months alone. (Over the same period it’s added seven known-exploited Ivanti vulnerabilities, five Citrix vulnerabilities, five SonicWall vulnerabilities, and two Palo Alto Network vulnerabilities.)

The link has been copied!