Fortinet FortiCloud SSO Zero-Day Exploited to Hijack Firewalls

Fortinet disclosed a critical zero-day vulnerability in its FortiCloud SSO implementation that allowed attackers to log into FortiGate firewalls belonging to other organizations. The company disabled the service for nearly two days while developing mitigations, and patches are now available for FortiOS 7.4.11.

The flaw, tracked as CVE-2026-24858, was discovered in the wild after customers reported unauthorized administrator accounts appearing on their devices.

What Happened

Between January 20 and January 22, two malicious FortiCloud accounts exploited an authentication bypass vulnerability to access FortiGate devices registered to other organizations. The attack required attackers to have their own FortiCloud account with a registered device—then they could authenticate to any other device with FortiCloud SSO enabled.

Fortinet locked out the offending accounts on January 22 after confirming the exploitation. Four days later, on January 26, the company took the unusual step of disabling FortiCloud SSO entirely across all customers while it developed a fix. The service came back online January 27 with protections preventing vulnerable firmware versions from authenticating.

This is the second major FortiGate authentication bypass to hit organizations in under two months. In December, attackers exploited CVE-2025-59718 and CVE-2025-59719 within three days of patch release, prompting CISA to issue an alert. Those flaws involved cryptographic signature verification failures—this new vulnerability takes a different path entirely.

How the Attack Works

CVE-2026-24858 is classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel. The vulnerability exists in how FortiOS, FortiManager, and FortiAnalyzer handle FortiCloud SSO authentication requests.

Under normal operation, FortiCloud SSO allows administrators to log into their registered devices through Fortinet's cloud platform. The vulnerability allowed an authenticated FortiCloud user to pivot from their own account to access devices belonging to different organizations—essentially breaking the tenant isolation that should separate customers.

The attack prerequisites are relatively low:

• An attacker needs a valid FortiCloud account
• They need at least one device registered to that account
• Target devices must have FortiCloud SSO enabled

Once those conditions are met, the attacker can authenticate as an administrator on vulnerable target devices.

Affected Products

The vulnerability impacts:

• FortiOS - The operating system running on FortiGate firewalls
• FortiManager - Centralized management platform for FortiGate devices
• FortiAnalyzer - Logging and analytics platform

Fortinet released FortiOS 7.4.11 on January 27 with a fix. Additional patches for FortiManager and FortiAnalyzer are expected shortly.

Who Should Be Concerned

Any organization using FortiCloud SSO for device management should verify their firmware versions immediately. The authentication method is enabled by default when administrators register devices to FortiCare through the GUI—a detail that caught many organizations off guard during December's patch bypass incidents.

From Fortinet's prior advisory: "When an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration."

Organizations that disabled FortiCloud SSO as a workaround for the December vulnerabilities are not affected by this new flaw.

Recommended Actions

1. Update immediately - Apply FortiOS 7.4.11 or later across all affected devices
2. Audit administrator accounts - Check for any unexpected admin accounts created between January 20-22
3. Review authentication logs - Look for suspicious SSO login events during the exploitation window
4. Disable FortiCloud SSO - If immediate patching isn't feasible, disable FortiCloud SSO as a temporary mitigation
5. Enable local MFA - Configure multi-factor authentication for local administrator accounts

Why This Matters

FortiGate firewalls sit at the network perimeter for thousands of organizations worldwide. A vulnerability allowing cross-tenant authentication bypass effectively turns Fortinet's cloud platform into an attack vector against its own customers.

The repeated targeting of Fortinet products—this marks the third significant vulnerability disclosure in two months—reflects a broader trend of threat actors focusing on network edge devices. These systems are internet-exposed by design, often lack endpoint detection capabilities, and provide immediate access to internal networks when compromised.

Organizations running Fortinet infrastructure should consider implementing defense-in-depth measures: network segmentation to limit blast radius, comprehensive logging forwarded to a SIEM, and regular audits of administrator accounts. For those seeking broader context on securing perimeter devices, our hacking news coverage tracks ongoing exploitation campaigns targeting similar infrastructure.