Fortinet Patches Critical FortiCloud SSO Zero-Day Under Attack
▼ Summary
– Fortinet is releasing patches for a critical zero-day vulnerability (CVE-2026-24858) that allowed attackers to log into FortiGate firewalls.
– The vulnerability, an authentication bypass, was exploited in the wild using two malicious FortiCloud accounts before they were locked out.
– It affects FortiOS, FortiAnalyzer, and FortiManager, but only if the FortiCloud SSO login feature is enabled on the devices.
– Fortinet has fixed the issue in FortiOS 7.4.11 and advises customers to upgrade, as FortiCloud SSO now blocks logins from vulnerable versions.
– The company also recommends security best practices like restricting administrative internet access and checking logs for indicators of compromise.
Fortinet has issued critical updates to address a newly discovered zero-day vulnerability actively exploited by attackers to gain unauthorized administrative access to firewalls. The flaw, identified as CVE-2026-24858, enabled threat actors to bypass authentication on affected Fortinet security appliances. The company confirmed that malicious actors used two specific FortiCloud accounts to carry out these intrusions before those accounts were locked down.
The issue came to light after several customers reported unauthorized access to their FortiGate firewalls, where attackers created new local administrator accounts. These incidents occurred even on devices running the most recent software versions available at the time, which included patches for a previous flaw, CVE-2025-59718. Initial speculation pointed to an incomplete fix for that older vulnerability, but Fortinet’s investigation revealed a distinct security weakness.
CVE-2026-24858 is classified as an authentication bypass vulnerability. It could allow an individual with a FortiCloud account and a registered device to log into other devices linked to different accounts, but only if those target systems had the FortiCloud Single Sign-On feature enabled. This security gap impacts FortiOS, the operating system for Fortinet firewalls, as well as the FortiAnalyzer analytics platform and the FortiManager centralized management system.
Similar to the earlier CVE-2025-59718, this new exploit is only possible on appliances where the FortiCloud SSO login functionality is active. Fortinet has released a patch in FortiOS version 7.4.11, with updates for other affected products following shortly. The company strongly recommends that users apply these upgrades as soon as they are available for their systems.
In response to the active attacks, Fortinet took decisive action on its cloud infrastructure. The company temporarily disabled the FortiCloud SSO feature globally to prevent further exploitation. After re-enabling it, the service was configured to reject login attempts from any device still running a vulnerable software version. This means customers must install the latest updates to restore SSO functionality.
Fortinet has also provided an expanded list of malicious IP addresses and account names associated with these incidents. Beyond immediate patching, the firm reiterates standard security best practices. These include restricting administrative access to internal networks only and avoiding exposure of management interfaces to the internet. Implementing local-in policies to limit which IP addresses can reach the admin interface is also advised.
Organizations using Fortinet products should immediately review their system logs for any known indicators of compromise. They must also search for suspicious administrator accounts that were not created by authorized personnel. If any evidence of intrusion is found, administrators should change all credentials and restore device configurations from a known clean backup to ensure complete remediation.
(Source: HelpNet Security)
