~/home/news/forticloud-sso-zero-day-cve-2026-02-02
newsMonday, February 2, 20268 min read👁 11 views

FortiCloud SSO Zero-Day (CVE-2026-24858) Triggers Global Service Shutdown

Fortinet disclosed a critical authentication-bypass zero-day (CVE-2026-24858) in its FortiCloud single sign-on service. Active exploitation forced the vendor to disable SSO worldwide while patches are rolled out, and CISA added the flaw to its KEV catalog.

FortinetZero-DaySSOCVE-2026-24858

Overview/Introduction

On January 28, 2026 Fortinet announced a critical zero-day vulnerability in its FortiCloud single sign-on (SSO) feature, tracked as CVE-2026-24858. The flaw allows an unauthenticated attacker to bypass FortiCloud’s authentication mechanism and gain administrative access to any FortiGate, FortiManager, FortiAnalyzer, FortiProxy, or FortiWeb device that has cloud SSO enabled. Because the vulnerability was observed being actively exploited in the wild, Fortinet took the unprecedented step of disabling FortiCloud SSO for all customers until patched firmware could be deployed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately added the issue to its Known Exploited Vulnerabilities (KEV) catalog, flagging it as a high-impact risk for organizations that rely on Fortinet’s cloud-based authentication.

Technical Details

Below is a deep dive into the mechanics of CVE-2026-24858:

  • CVE Identifier: CVE-2026-24858
  • CVSS v3.1 Base Score: 9.8 (Critical)
  • Affected Products: FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb - all versions supporting FortiCloud SSO.
  • Root Cause: An authentication bypass caused by an alternate login path that does not correctly validate the FortiCloud token. The bypass can be triggered by crafting a specially-formed HTTP request to the /logincheck endpoint when SSO is enabled.
  • Exploitation Method: An attacker with a valid FortiCloud account (or a compromised malicious FortiCloud account) can send the crafted request to a target device’s management interface. The device erroneously treats the request as a legitimate SSO login, granting the attacker full administrative privileges.
  • Persistence: Once inside, the adversary can create new local admin accounts, modify firewall policies, or exfiltrate data. In observed incidents, threat actors added hidden admin users that survived firmware upgrades.

The vulnerability is not mitigated by applying the latest firmware releases that address prior FortiCloud SSO bugs (CVE-2025-59718 and CVE-2025-59719) because the bypass uses a different authentication pathway that remained unpatched.

Impact Analysis

The impact of CVE-2026-24858 is severe for any organization that:

  • Uses FortiCloud SSO for remote or internal admin access.
  • Has registered devices to FortiCare without disabling the “Allow administrative login using FortiCloud SSO” toggle.
  • Relies on single sign-on as part of their zero-trust or IAM strategy.

Successful exploitation yields:

  • Full administrative control over the compromised device.
  • Ability to pivot to other network segments, especially if the device sits at a perimeter or data-center location.
  • Potential for credential theft, policy manipulation, and ransomware deployment.

Given the CVSS score of 9.8 and the fact that the flaw is actively exploited, the overall risk rating is Critical.

Timeline of Events

Jan 20-21, 2026 - First reports of unauthorized admin logins on FortiGate firewalls via FortiCloud SSO.
Jan 22, 2026 - Fortinet identifies two malicious FortiCloud accounts used in the attacks; accounts are locked.
Jan 24, 2026 - CISA adds CVE-2025-59718 (previous SSO bypass) to KEV catalog, raising alert levels.
Jan 28, 2026 - Fortinet publicly discloses CVE-2026-24858, disables FortiCloud SSO globally, and releases FortiOS 7.4.11 (partial fix).
Jan 30-Feb 2, 2026 - Security teams worldwide scramble to apply interim mitigations while awaiting additional patches.

Mitigation/Recommendations

Until official patches are available for all affected product lines, organizations should adopt the following layered mitigations:

  1. Immediately disable FortiCloud SSO: Use the local GUI or CLI to turn off the “Allow administrative login using FortiCloud SSO” toggle on every device.
  2. Enforce multi-factor authentication (MFA): Require MFA for all privileged accounts, especially those that manage Fortinet appliances.
  3. Apply the interim patch: Deploy FortiOS 7.4.11 (or later) as soon as it is released. Verify the version includes the CVE-2026-24858 fix.
  4. Audit existing admin accounts: Search for unknown or recently created local admin users. Remove any that are not documented.
  5. Enable strict IP-based management access: Restrict management plane access to known administrative workstations and VPN endpoints.
  6. Monitor authentication logs: Look for anomalous SSO login attempts, especially from unfamiliar IP ranges or FortiCloud accounts.
  7. Segment the network: Isolate critical firewalls and management servers from the broader corporate LAN to limit lateral movement.
  8. Prepare for patch rollout: Test upcoming FortiOS releases in a lab environment before mass deployment.

Organizations that cannot immediately disable SSO should at minimum enforce MFA on FortiCloud accounts and rotate any shared credentials.

Real-World Impact

Enterprises that have already integrated FortiCloud SSO into their identity-as-a-service (IDaaS) workflows are facing an abrupt loss of single-sign-on capability. This forces a rapid shift back to local credential management, which can cause operational friction, especially for distributed teams and MSPs managing dozens of customer firewalls.

Early field reports indicate that attackers have used the vulnerability to:

  • Insert stealth admin accounts on production firewalls, enabling future persistence.
  • Modify outbound security policies to allow exfiltration of sensitive data.
  • Deploy ransomware payloads after establishing control, leveraging the firewall’s ability to disable endpoint security tools.

Financial services, healthcare, and government entities—sectors that heavily rely on Fortinet appliances for perimeter security—are particularly exposed. The global SSO shutdown also means that remote technicians can no longer rely on cloud-based credentials, potentially delaying incident response and remediation activities.

Expert Opinion

From a strategic standpoint, CVE-2026-24858 underscores the inherent risk of delegating privileged authentication to a single cloud service. While FortiCloud SSO offers convenience, it creates a single point of failure that, when compromised, grants attackers a “master key” to an organization’s security fabric.

Fortinet’s decision to globally disable SSO is a rare but necessary move that demonstrates the severity of the threat. It also highlights a broader industry challenge: the need for robust, defense-in-depth controls around identity providers. Organizations should treat any cloud-based IAM integration as a critical security boundary, applying the same hardening practices used for on-premise authentication systems—such as least-privilege access, MFA, continuous monitoring, and rapid revocation capabilities.

Looking ahead, we expect a wave of follow-on patches that not only fix CVE-2026-24858 but also re-architect the SSO flow to eliminate the alternate authentication path. In the meantime, security teams must prioritize the interim mitigations outlined above and revisit their reliance on cloud-based admin access. The incident serves as a cautionary tale: convenience should never outweigh security, especially for the crown jewels of network infrastructure.