Home > Security > Security News

Fortinet Temporarily Disables FortiCloud SSO Following Active Exploitation

Published
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor
Fortinet
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Active Exploitation: Attackers abused FortiCloud SSO trust to access unrelated customer devices using valid FortiCloud accounts.
  • Emergency Mitigation: Fortinet temporarily disabled FortiCloud SSO and now blocks logins from devices running vulnerable versions.
  • Patch Dependency: Risk now depends on customer upgrades, as unpatched systems remain exposed despite platform-level safeguards.

Fortinet has disclosed a critical authentication bypass vulnerability that affects multiple Fortinet products. It has been actively exploited in the wild, enabling attackers to access customer devices by abusing FortiCloud single sign-on (SSO) trust mechanisms.

The vulnerability, tracked as CVE-2026-24858 and assigned a CVSS score of 9.4, impacts FortiOS, FortiManager, FortiAnalyzer, and FortiProxy when FortiCloud SSO authentication is enabled. 

The company confirmed that attackers with valid FortiCloud accounts and registered devices were able to authenticate to systems associated with unrelated customer environments.

Fortinet said it implemented emergency controls at the platform level to limit further abuse.

Vulnerability Identification

Fortinet’s Product Security Incident Response Team (PSIRT) said the issue involves an authentication bypass through an alternate access path. This allowed FortiCloud SSO authentication to succeed under conditions that should otherwise prevent cross-account access.

While the company blocked FortiCloud SSO access from vulnerable versions, the vulnerability remains relevant for organizations that have not yet upgraded.

Attackers Activities Observed by PSIRT

The company said it identified two FortiCloud accounts being used maliciously to exploit the flaw and locked those accounts on January 22.

Although FortiCloud SSO is not enabled in default factory settings, it may be activated during device registration to FortiCare, unless administrators explicitly disable the option permitting administrative login through FortiCloud SSO.

Fortinet said attackers who successfully authenticated via FortiCloud SSO were observed:

Once authenticated, attackers were observed carrying out multiple post-access actions. 

Researchers marked the following accounts under indicators of compromise that have been neutralized:

The following IP addresses were observed being used for login activity:

These IP addresses were reported by a third party and not directly observed by Fortinet:

Response to the Incidents 

The malicious activity included the creation of admin accounts with common names such as backup, itadmin, support, and security. Hence, Fortinet urged customers to audit all admin users.

The attackers also rotated network infrastructure and leveraged Cloudflare-protected IP addresses, which further complicated detection and monitoring of malicious activities.

To reduce risk, Fortinet disabled FortiCloud SSO globally on January 26, and re-enabled the service on January 27 with safeguards. Under the updated controls, FortiCloud SSO authentication is now blocked for devices running vulnerable software versions.

Customers must upgrade to fixed releases for FortiCloud SSO functionality to work. Disabling SSO locally is no longer required, as it is handled server-side.

Fortinet confirmed the vulnerability was exploited prior to its mitigation steps. Researchers are also investigating additional products, including FortiWeb and FortiSwitch Manager.

Although the company’s platform-level controls now restrict the attack path, the flaw poses a risk to organizations that have not yet applied updates.  The risk is driven less by active exploitation and more by slowed patch adoption.

The flaw exploited identity trust relationships between cloud services and on-premise infrastructure, allowing attackers to move laterally across customer environments without a direct device breach.

Customers must upgrade affected products to fixed versions and review administrative access for unauthorized activities. Organizations are advised to examine authentication logs for suspicious FortiCloud SSO activity. 

The company emphasized that FortiCloud SSO will not function on vulnerable versions, making upgrades mandatory for continued use.

Add a Comment
Related
Recent Cybersecurity Executive and Board Appointments
U.S. Treasury Cancels Booz Allen Hamilton Contracts, Former Contractor Pleads Guilty to Taxpayer Data Breach 
From Cybercrime to Countermeasures: How Governments, Enterprises, and Defenders Are Adjusting
INC Ransom Backup Server Security Fail Enabled 12 US Companies to Recover Their Data
Microsoft logo on a building
Microsoft 365 Outage Disrupted Cloud Services, Blocked Email and File Access for Enterprise Users
Hacker Leaks Alleged Data of Three Spanish Transport Ministry Officials After Adamuz Train Crash
Most Popular
Surfshark Clears Independent Security Audit, Infrastructure Meets Top Protection Standards
Surfshark Clears Independent Security Audit, Infrastructure Meets Top Protection Standards
Recent Cybersecurity Executive and Board Appointments
U.S. Treasury Cancels Booz Allen Hamilton Contracts, Former Contractor Pleads Guilty to Taxpayer Data Breach 
From Cybercrime to Countermeasures: How Governments, Enterprises, and Defenders Are Adjusting
INC Ransom Backup Server Security Fail Enabled 12 US Companies to Recover Their Data
Microsoft logo on a building
Microsoft 365 Outage Disrupted Cloud Services, Blocked Email and File Access for Enterprise Users
Surfshark Clears Independent Security Audit, Infrastructure Meets Top Protection Standards
Recent Cybersecurity Executive and Board Appointments
U.S. Treasury Cancels Booz Allen Hamilton Contracts, Former Contractor Pleads Guilty to Taxpayer Data Breach 
From Cybercrime to Countermeasures: How Governments, Enterprises, and Defenders Are Adjusting
INC Ransom Backup Server Security Fail Enabled 12 US Companies to Recover Their Data
Microsoft 365 Outage Disrupted Cloud Services, Blocked Email and File Access for Enterprise Users

Most Popular
Surfshark Clears Independent Security Audit, Infrastructure Meets Top Protection Standards
Surfshark Clears Independent Security Audit, Infrastructure Meets Top Protection Standards
Recent Cybersecurity Executive and Board Appointments
U.S. Treasury Cancels Booz Allen Hamilton Contracts, Former Contractor Pleads Guilty to Taxpayer Data Breach 
From Cybercrime to Countermeasures: How Governments, Enterprises, and Defenders Are Adjusting
INC Ransom Backup Server Security Fail Enabled 12 US Companies to Recover Their Data
Microsoft logo on a building
Microsoft 365 Outage Disrupted Cloud Services, Blocked Email and File Access for Enterprise Users
Surfshark Clears Independent Security Audit, Infrastructure Meets Top Protection Standards
Recent Cybersecurity Executive and Board Appointments
U.S. Treasury Cancels Booz Allen Hamilton Contracts, Former Contractor Pleads Guilty to Taxpayer Data Breach 
From Cybercrime to Countermeasures: How Governments, Enterprises, and Defenders Are Adjusting
INC Ransom Backup Server Security Fail Enabled 12 US Companies to Recover Their Data
Microsoft 365 Outage Disrupted Cloud Services, Blocked Email and File Access for Enterprise Users

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: