CVE-2026-24858

What is Fortinet FortiCloud SSO?

Fortinet is a leading enterprise network security vendor whose products — including FortiOS (the operating system powering FortiGate firewalls), FortiAnalyzer (log management and analytics), FortiManager (centralized policy and configuration management), and FortiProxy (secure web gateway) — are deployed by hundreds of thousands of organizations worldwide as the core of their network perimeter security. FortiCloud is Fortinet's cloud management platform, providing centralized visibility, licensing, and device management. FortiCloud Single Sign-On (SSO) allows administrators to log into their Fortinet appliances using their FortiCloud identity credentials rather than device-local accounts, simplifying management of large deployments.

Because FortiGate firewalls, FortiManager, and FortiAnalyzer sit at the boundary of enterprise networks and control inbound/outbound traffic policy, VPN access, and security logging, unauthorized administrative access to these devices represents maximum-severity compromise: an attacker who can log in as an admin can create persistent backdoor accounts, modify firewall rules, disable security policies, intercept VPN traffic, and exfiltrate the device configuration containing all network topology and credential details.

Overview

CVE-2026-24858 is a CWE-288 (Authentication Bypass Using an Alternate Path or Channel) vulnerability in Fortinet's FortiCloud SSO administrative authentication mechanism. The flaw enables a cross-tenant authentication bypass: an attacker who possesses their own legitimate FortiCloud account and has at least one device registered to that account can authenticate to devices registered to entirely different FortiCloud accounts — belonging to other customers — if those devices have FortiCloud SSO admin login enabled. This is an authorization boundary failure in the SSO trust model, not a credential theft: the attacker uses their own valid FortiCloud identity to access devices they should have no rights to.

Active exploitation was confirmed beginning January 20, 2026, when multiple Fortinet customers reported unauthorized access to their FortiGate firewalls with creation of new local admin accounts, despite running fully patched FortiOS versions. Fortinet identified two malicious FortiCloud accounts involved in the exploitation on January 22, 2026, and locked them. CISA added the vulnerability to the KEV catalog on January 27, 2026 — the same day the advisory was published — reflecting the severity of confirmed active exploitation.

Affected Versions

Only deployments with FortiCloud SSO admin login enabled are vulnerable. Third-party SAML identity providers and FortiAuthenticator-based SSO are not affected by this specific vulnerability.

Technical Details

The vulnerability is an authorization control failure in the FortiCloud SSO administrative authentication pathway. Fortinet's FortiCloud SSO uses a trust model in which the FortiCloud identity service validates an authenticated user's identity and issues a token or assertion that the target device accepts to grant administrative access. The flaw is that the device-side validation of this assertion does not adequately enforce the tenant boundary — specifically, that the authenticating FortiCloud account must be the same account under which the target device is registered.

In practical terms, the attack requires:

1. The attacker possesses a valid FortiCloud account (any account — this is a low barrier, as FortiCloud accounts are freely registerable).
2. The attacker has at least one device registered to their FortiCloud account, establishing a legitimate presence in the FortiCloud ecosystem.
3. A target device belonging to a different FortiCloud customer has FortiCloud SSO administrative login enabled.

Under these conditions, the attacker can use the FortiCloud SSO login flow to authenticate to the victim's device using their own FortiCloud identity. The target device's SSO validation fails to reject the cross-tenant assertion, granting the attacker full administrative access.

Once authenticated, the observed post-exploitation activity includes downloading the device's full configuration (which contains firewall rules, VPN settings, and potentially credentials) and creating local administrator accounts with names chosen to blend with legitimate system accounts — including audit, backup, itadmin, secadmin, support, svcadmin, and system — to maintain persistence independent of the SSO channel.

Discovery

The vulnerability was discovered by Fortinet's internal security team following customer reports on January 20, 2026, of unauthorized admin account creation on FortiGate devices. Forensic investigation identified two malicious FortiCloud accounts ([email protected] and [email protected]) that had been used to access customer devices. Fortinet locked these accounts on January 22, 2026, and performed root cause analysis that identified the cross-tenant SSO authorization flaw. The advisory was published on January 27, 2026, alongside the patch releases.

Exploitation Context

Active exploitation was confirmed from January 20, 2026, before the patch was available. Threat actors used two FortiCloud accounts — [email protected] and [email protected] — to access customer devices. After Fortinet locked these accounts on January 22, the actors were observed switching to Cloudflare-proxied IP addresses to obscure attribution. Known malicious IP addresses include 104.28.244.115, 104.28.212.114, 37.1.209.19, and 217.119.139.50.

Post-exploitation objectives were twofold: (1) exfiltrating device configurations, providing complete visibility into victim network architecture and security policies, and (2) establishing persistent local administrator accounts that survive password changes to the FortiCloud SSO account. The account naming strategy — using names like audit, backup, and support — indicates deliberate blending with expected administrative account names to evade detection during account reviews.

Fortinet took the unusual step of disabling FortiCloud SSO globally on January 26, 2026, as an emergency mitigation, then re-enabled it the following day only for devices running the patched versions. No specific named threat actor or nation-state attribution has been publicly confirmed for this exploitation campaign.

Remediation

1. Patch immediately: Upgrade to the fixed version for your product line as listed in the Affected Versions table above. After patching, FortiCloud SSO is safe to re-enable.
2. Disable FortiCloud SSO if not required: If your organization does not need FortiCloud SSO for administrative access, disable it on all affected devices. Use device-local accounts with strong, unique passwords and enforce MFA where possible.
3. Audit administrator accounts: Review all local administrator accounts on FortiOS, FortiAnalyzer, FortiManager, and FortiProxy devices for any accounts not recognized or not authorized by your organization. Treat accounts with names such as audit, backup, itadmin, secadmin, support, svcadmin, or system (if not explicitly provisioned by your team) as indicators of compromise and remove them immediately.
4. Review device configurations: Compare current device configurations against known-good baselines. Attackers exfiltrated configurations in this campaign — review firewall rules, VPN settings, and routing policies for unauthorized modifications. Treat any unexpected changes as evidence of compromise.
5. Check for IOCs: Audit admin login logs for sessions originating from the known malicious IPs (104.28.244.115, 104.28.212.114, 37.1.209.19, 217.119.139.50) or from the accounts [email protected] and [email protected]. Look for SSO login events followed immediately by local admin account creation, configuration export operations, or policy modifications. Review Fortinet's PSIRT blog for the full indicator list.
6. Internet exposure: Fortinet management interfaces (FortiManager, FortiAnalyzer) should never be directly internet-accessible. If FortiGate management access must be internet-reachable, restrict it to trusted management IPs and use trusted host restrictions in the admin account configuration.