Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions.
The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability.
The confirmation comes after Fortinet customers reported compromised FortiGate firewalls on January 21, with attackers creating new local administrator accounts via FortiCloud SSO on devices running the latest available firmware.
The attacks were initially thought to be through a patch bypass for CVE-2025-59718, a previously exploited critical FortiCloud SSO authentication bypass flaw that was patched in December 2025.
Fortinet admins reported that the hackers were logging into FortiGate devices via FortiCloud SSO using the email address [email protected], then creating new local admin accounts.
Logs shared by impacted customers showed similar indicators observed during December exploitation.
On January 22, cybersecurity firm Arctic Wolf confirmed the attacks, saying the attacks appeared automated, with new rogue admin and VPN-enabled accounts created and firewall configurations exfiltrated within seconds. Arctic Wolf said the attack appeared similar to a previous campaign exploiting CVE-2025-59718 in December.
Fortinet confirms alternate attack path
On January 23, Fortinet confirmed that attackers were exploiting an alternate authentication path that remained even on fully patched systems.
Fortinet CISO Carl Windsor said the company had observed cases in which devices running the latest firmware were compromised, indicating that a new attack path was being exploited.
... continue reading