Fortinet Confirms New Zero-Day Behind Malicious SSO Logins
Summary
Fortinet has confirmed a newly discovered zero-day, CVE-2026-24858 (CVSS 9.8), that lets attackers bypass FortiCloud single sign-on (SSO) authentication and log into devices as other users. The flaw affects FortiOS, FortiManager, FortiAnalyzer, FortiProxy and FortiWeb; FortiSwitch Manager is being investigated. Exploitation requires an active FortiCloud account and a registered device where FortiCloud SSO is enabled. Fortinet temporarily disabled FortiCloud SSO for all accounts, then re-enabled it while blocking logins from vulnerable device versions and urging customers to upgrade to patched releases. CISA added the CVE to its Known Exploited Vulnerabilities catalogue and scans show roughly 10,000 exposed instances with FortiCloud SSO enabled.
Key Points
- New authentication-bypass zero-day: CVE-2026-24858 (CVSS 9.8) confirmed by Fortinet.
- Affected products include FortiOS, FortiManager, FortiAnalyzer, FortiProxy and FortiWeb; further impact under investigation.
- Exploit path: attacker with active FortiCloud account + registered device can SSO into other devices if FortiCloud SSO is enabled.
- Fortinet disabled FortiCloud SSO globally on 26 Jan, re-enabled on 27 Jan but prevents logins from vulnerable versions; vendor advises immediate upgrades.
- CISA added the CVE to its KEV list; Shadowserver scans report ~10,000 exposed instances with FortiCloud SSO enabled (down from ~25,000 in mid‑December).
Context and Relevance
This zero-day follows earlier SSO abuse and a December patch (CVE-2025-59718) that appeared to be bypassed in the wild. Incident responders and vendors observed malicious configuration changes via SSO logins, prompting Fortinet to investigate a new attack path. Because Fortinet appliances often sit at network edges, unauthorised admin access can expose critical configurations and create long-term risks for organisations. Fortinet says the issue is restricted to FortiCloud SSO and does not affect third-party SAML IdP or FortiAuthenticator implementations.
Why should I read this?
Look — if you run Fortinet gear, stop whatever else you were doing and check this. Patch, verify FortiCloud SSO settings and hunt for strange admin changes. Fortinet and CISA are treating this as active and severe, so you definitely want to know if your edge kit is exposed. We read the detail and boiled it down so you can act fast.
Author style
Punchy: this summary flags urgent actions and the real-world impact. If you’re responsible for edge or perimeter security, the full advisory and patches matter — read them and prioritise fixes.