Critical FortiCloud SSO Vulnerability Actively Explo
Fortinet has confirmed a critical authentication bypass vulnerability impacting its FortiCloud SSO feature. This flaw, tracked as CVE-2026-24858, is currently being actively exploited in the wild....
Fortinet has confirmed a critical authentication bypass vulnerability impacting its FortiCloud SSO feature. This flaw, tracked as CVE-2026-24858, is currently being actively exploited in the wild.
Table Of Content
According to an advisory published on January 27, 2026, the flaw affects FortiOS, FortiManager, FortiAnalyzer, and FortiProxy. With a CVSSv3 score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it stems from improper access control (CWE-288) in the GUI component.
Attackers possessing a FortiCloud account and a registered device can log into other devices registered to different accounts if FortiCloud SSO is enabled.
Notably, this feature is not active by default but is enabled during FortiCare registration from the GUI unless administrators explicitly disable the “Allow administrative login using FortiCloud SSO” toggle.
Exploitation Details and Threat Actor Activity
Fortinet detected exploitation by two malicious FortiCloud accounts, locked out on January 22, 2026. To safeguard customers, the vendor disabled FortiCloud SSO on the cloud side on January 26, re-enabling it the next day, and now blocking logins from vulnerable versions.
Post-authentication, attackers downloaded customer config files for reconnaissance and created persistent local admin accounts.
Main operations include config exfiltration and admin privilege escalation. Fortinet urges reviewing all admin accounts for anomalies. Products under investigation include FortiWeb and FortiSwitch Manager.
Urgent upgrades are essential. Fortinet provides an upgrade path tool. Below is a table of affected versions:
| Product | Affected Versions | Solution |
|---|---|---|
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiAnalyzer 6.4 | Not affected | N/A |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.13 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| FortiManager 6.4 | Not affected | N/A |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to 7.0.19 or above |
| FortiOS 6.4 | Not affected | N/A |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.6 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to 7.4.13 or above |
| FortiProxy 7.2 | All versions | Migrate to fixed release |
| FortiProxy 7.0 | All versions | Migrate to fixed release |
Indicators of Compromise
Fortinet shared IoCs for threat hunting. Review logs for these signs of compromise:
| Type | IoC Value |
|---|---|
| SSO Login Accounts | cloud-noc@mail[.]io cloud-init@mail[.]io |
| IP Addresses | 104.28.244[.]115 104.28.212[.]114 104.28.212[.]115 104.28.195[.]105 104.28.195[.]106 104.28.227[.]106 104.28.227[.]105 104.28.244[.]114 37.1.209[.]19 217.119.139[.]50 |
| Malicious Local Accounts | audit backup itadmin secadmin support backupadmin deploy remoteadmin security svcadmin system |
Actors shifted to Cloudflare-protected IPs; emails may evolve post-neutralization.
Mitigations
FortiCloud SSO now rejects vulnerable devices, but disable it locally if needed:
- FortiOS/FortiProxy CLI: text
config system global set admin-forticloud-sso-login disable end - FortiManager/FortiAnalyzer CLI: text
config system saml set forticloud-sso disable end
GUI paths: System > Settings (toggle off) or System Settings > SAML SSO.
Fortinet temporarily disabled its FortiCloud Single Sign-On (SSO) service after confirming active exploitation of a zero-day authentication bypass vulnerability in multiple products.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.