CRITICAL: Fortinet FortiCloud SSO Authentication Bypass - Actively Exploited

Executive Summary

CVE-2026-24858 is a critical authentication bypass vulnerability affecting multiple Fortinet products. This vulnerability is actively being exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline of January 30, 2026.

⚠️ IMMEDIATE ACTION REQUIRED - CISA KEV deadline has passed. Remediate immediately.

Vulnerability Details

Technical Analysis

An authentication bypass vulnerability exists in FortiCloud SSO authentication. An attacker with a FortiCloud account and a registered device can log into other devices registered to other accounts if FortiCloud SSO authentication is enabled on those devices.

Key Points:

• FortiCloud SSO is NOT enabled by default in factory settings
• However, when an admin registers a device via the GUI, FortiCloud SSO is enabled automatically unless explicitly disabled
• Fortinet has disabled vulnerable SSO functionality server-side as of 2026-01-26
• Devices running vulnerable versions can no longer use FortiCloud SSO until patched

Affected Products

FortiAnalyzer

• 7.6.0 through 7.6.5 → Upgrade to 7.6.6+
• 7.4.0 through 7.4.9 → Upgrade to 7.4.10+
• 7.2.0 through 7.2.11 → Upgrade to 7.2.12+ (upcoming)
• 7.0.0 through 7.0.15 → Upgrade to 7.0.16+ (upcoming)

FortiManager

• 7.6.0 through 7.6.5 → Upgrade to 7.6.6+
• 7.4.0 through 7.4.9 → Upgrade to 7.4.10+
• 7.2.0 through 7.2.11 → Upgrade to 7.2.12+ (upcoming)
• 7.0.0 through 7.0.15 → Upgrade to 7.0.16+ (upcoming)

FortiOS

• 7.6.0 through 7.6.5 → Upgrade to 7.6.6+
• 7.4.0 through 7.4.10 → Upgrade to 7.4.11+
• 7.2.0 through 7.2.12 → Upgrade to 7.2.13+ (upcoming)
• 7.0.0 through 7.0.18 → Upgrade to 7.0.19+ (upcoming)

FortiProxy

• 7.6.0 through 7.6.4 → Upgrade to 7.6.6+ (upcoming)
• 7.4.0 through 7.4.12 → Upgrade to 7.4.13+ (upcoming)
• 7.2.0 through 7.2.15 → Upgrade to 7.2.16+ (upcoming)
• 7.0.0 through 7.0.22 → Upgrade to 7.0.23+ (upcoming)

FortiWeb

• 8.0.0 through 8.0.3 → Upgrade to 8.0.4+ (upcoming)
• 7.6.0 through 7.6.6 → Upgrade to 7.6.7+ (upcoming)
• 7.4.0 through 7.4.11 → Upgrade to 7.4.12+ (upcoming)

Not Affected

• FortiManager Cloud, FortiAnalyzer Cloud, FortiGate Cloud
• Setups using Custom IdP for SSO (including FortiAuthenticator)
• FortiAnalyzer 6.4, FortiManager 6.4/8.0, FortiOS 6.4/8.0, FortiWeb 7.0/7.2

Indicators of Compromise (IOCs)

Malicious FortiCloud Accounts

cloud-noc@mail.io
cloud-init@mail.io
heltaylor.12@tutamail.com
support@openmail.pro

Attacker IP Addresses

104.28.244.115
104.28.212.114
104.28.212.115
104.28.195.105
104.28.195.106
104.28.227.106
104.28.227.105
104.28.244.114
163.61.198.15
104.28.244.116
38.54.6.28
37.1.209.19
217.119.139.50

Malicious Admin Accounts Created by Attacker

Review all admin accounts for unexpected entries with these names:

audit, backup, itadmin, secadmin, support, backupadmin,
deploy, remoteadmin, security, svcadmin, system, adccount

Observed Attack Behavior

1. Login via SSO using compromised credentials
2. Download customer configuration files
3. Create local admin account for persistence

Remediation

Immediate Actions

1. Upgrade to patched versions listed above (priority action)
2. Review admin accounts for unauthorized entries
3. Check logs for SSO logins from the IOC email addresses or IPs
4. Review device configs for unauthorized changes

Workaround (if patching is delayed)

FortiCloud SSO no longer works for vulnerable versions server-side. However, you can explicitly disable it:

FortiOS/FortiProxy CLI:

config system global
  set admin-forticloud-sso-login disable
end

FortiManager/FortiAnalyzer CLI:

config system saml
  set forticloud-sso disable
end

CyberOne Customer Impact

Organizations using Fortinet products for perimeter security should:

1. Inventory all Fortinet devices and check version numbers
2. Prioritize patching internet-facing FortiGate/FortiProxy devices
3. Hunt for IOCs in authentication logs
4. Report any compromise to your CyberOne account team

Timeline