Fortinet confirmed an actively exploited critical FortiCloud single sign-on (SSO) authentication bypass tracked as CVE-2026-24858 and mitigated attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware. Attackers abused FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices—creating rogue local admin accounts from accounts such as [email protected] and exfiltrating firewall configurations—while Fortinet disabled abusive FortiCloud accounts, globally restricted SSO, and is developing patches. #FortiCloud #FortiGate
Keypoints
- CVE-2026-24858 is a critical FortiCloud SSO authentication bypass that can grant cross-customer administrative access.
- The vulnerability was exploited in the wild via an alternate authentication path even on devices running the latest firmware.
- Fortinet mitigated attacks by disabling abusive FortiCloud accounts, globally restricting FortiCloud SSO, and blocking logins from vulnerable devices server-side.
- Attackers created multiple rogue admin accounts (e.g., audit, backup, itadmin) and quickly exfiltrated firewall configurations.
- Administrators are advised to review admin accounts, restore from known-clean backups, rotate credentials, and consider disabling SAML/SSO until patches are available.