Fortinet unearths another critical bug as SSO accounts borked post-patch

Steven

Fortinet unearths another critical bug as SSO accounts borked post-patch

Summary

Fortinet has disclosed a separate critical FortiCloud SSO authentication-bypass vulnerability, assigned CVE-2026-24858 (CVSS 9.4), after reports that FortiCloud SSO accounts were compromised even though a previous December patch had been applied. The vendor says the alternate attack path was exploited in the wild by two malicious FortiCloud accounts; those accounts were blocked on 22 January.

The flaw can allow an attacker with a FortiCloud account and a registered device to log into devices registered to other accounts when FortiCloud SSO authentication is enabled. Fortinet has disabled FortiCloud SSO connections from vulnerable versions and published an advisory; full patches are still being rolled out for many products. Affected products include FortiAnalyzer, FortiManager, FortiOS and FortiProxy; FortiWeb and FortiSwitch Manager are under investigation. The root technique involves specially crafted SAML responses that can bypass SSO checks, and the issue follows earlier related CVEs patched in December.

Key Points

  • CVE-2026-24858 is an authentication bypass (CVSS 9.4) affecting FortiCloud SSO and was exploited in the wild.
  • Two malicious FortiCloud accounts were observed exploiting the alternate attack path; these were blocked on 22 January.
  • Affected products: FortiAnalyzer, FortiManager, FortiOS and FortiProxy; FortiWeb and FortiSwitch Manager are still being investigated.
  • Patches are not fully available for all affected versions; Fortinet has disabled FortiCloud SSO connections from vulnerable releases and recommends upgrading to specified safe versions where available.
  • The attacks leverage specially crafted SAML responses to bypass SSO checks; they appear related to earlier December fixes (CVE-2025-59718 and CVE-2025-59719) but use an alternate path.
  • FortiCloud SSO is not enabled by default but becomes enabled when a device is registered to FortiCare via the GUI unless the administrator explicitly disables the “Allow administrative login using FortiCloud SSO” toggle.
  • Fortinet’s CISO warned that all SAML-based SSO implementations could be at risk, highlighting broader implications beyond Fortinet devices.

Context and Relevance

This is a high-severity operational issue for organisations using Fortinet cloud SSO: attackers gaining admin access to network devices can exfiltrate configuration, pivot internally, or disrupt services. The story underlines two ongoing trends: (1) complex patches can leave alternate attack paths open, and (2) SSO/SAML logic is a recurring source of critical failures. For network and security teams, the advisory is a prompt to audit where FortiCloud SSO is enabled, check device registration workflows, and prioritise upgrades or mitigations as Fortinet releases fixes.

Why should I read this?

Short version: if you run Fortinet kit, this could let someone else log in as your admin. It’s messy, it’s active in the wild, and patches are still being shuffled out — so either patch, disable FortiCloud SSO on registered devices, or at least check your registrations now. We’ve done the reading so you don’t have to panic first and then scramble.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/28/fortinet_forticloud_vuln/