Fortinet FortiCloud SSO Authentication Bypass Under Active Exploitation

Overview

If your organization runs Fortinet appliances with FortiCloud SSO enabled, stop what you’re doing and read this.

CVE-2026-24858 is a critical authentication bypass (CVSS 9.4) in Fortinet’s FortiCloud Single Sign-On mechanism. The short version: anyone with a FortiCloud account can authenticate to devices belonging to other organizations. No exploit code needed. No firmware bug to trigger. Just log in through Fortinet’s own cloud SSO, and you’re in.

Fortinet took the unusual step of disabling FortiCloud SSO service-wide on January 26 to stop the bleeding. CISA added it to the Known Exploited Vulnerabilities catalog the next day with a federal remediation deadline of January 30. That’s a 3-day turnaround, which tells you how seriously they’re taking this.

What Happened

The flaw, classified as CWE-288 (Authentication Bypass Using Alternate Path or Channel), is in how FortiCloud SSO validates device ownership. When SSO is enabled, the authentication flow doesn’t properly verify that the person logging in actually owns or is authorized for the target device. An attacker registers any device to their own FortiCloud account, then pivots through the SSO mechanism to reach devices on other accounts.

What makes this one particularly unsettling: attackers weren’t exploiting a buffer overflow or injecting code. They were using the authentication system exactly as designed. It just happened to skip a critical authorization check. Fully patched systems were compromised because this isn’t a firmware vulnerability. It’s a flaw in FortiCloud’s SSO infrastructure itself.

This is also independent of the earlier CVE-2025-59718 and CVE-2025-59719 SAML signature verification issues. If you patched those and assumed you were covered, you’re not.

Who’s Affected

• FortiOS (all versions with FortiCloud SSO enabled)
• FortiManager
• FortiAnalyzer
• FortiWeb
• FortiProxy
• FortiSwitch Manager (still under investigation)

FortiCloud SSO isn’t enabled by default. You have to turn it on during device registration. But organizations that adopted FortiCloud for centralized management are squarely in the blast radius.

What Attackers Did With It

This wasn’t theoretical. Fortinet confirmed active exploitation and identified at least two malicious FortiCloud accounts, cloud-noc@mail.io and cloud-init@mail.io, that were disabled on January 22.

Once inside, attackers were observed:

• Creating persistent local admin accounts so they’d survive even after the SSO issue was fixed
• Rewriting firewall rules to open the door for their own traffic
• Setting up VPN access through those newly minted accounts
• Exfiltrating full firewall configurations, including network topology, ACLs, and credentials

Think about that last one for a moment. Even if you remediate the vulnerability perfectly, an attacker who already pulled your firewall config now has a complete map of your network. That intelligence doesn’t expire when you patch.

Timeline

Date	Event
January 22	Fortinet identifies and disables two malicious FortiCloud accounts
January 26	FortiCloud SSO disabled service-wide
January 27	SSO re-enabled with version restrictions; CISA adds to KEV catalog
January 28	CISA publishes guidance; scope expanded to include FortiWeb and FortiProxy

MITRE ATT&CK Mapping

• T1078, Valid Accounts: Legitimate SSO used to access victim devices
• T1098, Account Manipulation: Persistent local admin account creation
• T1562.004, Impair Defenses (Disable or Modify Firewall): Firewall rule changes
• T1133, External Remote Services: VPN access configured for re-entry
• T1005, Data from Local System: Configuration exfiltration

Why This One Matters

We’ve seen plenty of Fortinet vulnerabilities over the years, but this one stands apart for a few reasons.

The barrier to entry is remarkably low. No exploit development, no zero-day broker, no sophisticated tooling. A free FortiCloud account and one registered device is all it takes. That puts this within reach of virtually any threat actor.

Fortinet appliances are perimeter devices: firewalls, WAFs, proxies, management consoles. Compromising one doesn’t just give you a foothold. It gives you control over what gets in and out. Attackers who modify firewall rules can effectively make themselves invisible to your other security tooling.

The scope is also broad. FortiOS, FortiManager, FortiAnalyzer, FortiWeb, and FortiProxy could all be affected, meaning an organization’s entire Fortinet stack could be compromised through a single auth bypass.

What You Should Do Now

1. Check your FortiCloud SSO status. If SSO isn’t enabled, you’re not affected by this specific vulnerability. Verify under System > Admin > Settings on each device. Don’t assume. Check.

2. Hunt for compromise indicators. Look for unauthorized admin accounts, unexpected firewall rule changes, new VPN configurations, or recent configuration exports. Search specifically for the known attacker accounts (cloud-noc@mail.io, cloud-init@mail.io), but don’t stop there.

3. Update firmware. FortiCloud SSO has been re-enabled with version restrictions, and only updated firmware is allowed to use it. Get current.

4. Restore from clean backups if compromised. If you find indicators, don’t trust the running config. Roll back to a backup from before January 22 and carefully re-apply only verified changes.

5. Rotate everything. Local device credentials, LDAP/AD bind credentials stored on the device, any secrets that could have been in an exported configuration. All of it.

6. Consider ditching FortiCloud SSO. Third-party SAML identity providers and FortiAuthenticator are not affected. If your architecture allows it, this is a good time to move.

7. Plan for the reconnaissance aftermath. Stolen configurations give attackers a roadmap of your network. Even after remediation, increase monitoring for lateral movement and reconnaissance that could be informed by that stolen intelligence.

How CCG Can Help

If you’re not sure whether your Fortinet devices were affected, or you’ve found indicators and need to respond quickly, reach out to us. Our team can help with:

• Compromise assessment to determine whether CVE-2026-24858 was exploited in your environment, including forensic analysis of device configurations and logs
• Incident response to contain active threats, restore clean configurations, and coordinate credential rotation across your infrastructure
• Architecture review to evaluate your perimeter security posture and recommend alternatives to FortiCloud SSO that reduce exposure to cloud-based authentication bypass risks

We work with organizations across industries to harden Fortinet deployments and respond to active exploitation. If this vulnerability has you asking hard questions about your perimeter security, we’re here to help answer them.