CVE-2026-24858 is a critical authentication bypass in FortiCloud Single Sign-On (SSO) that can allow an attacker with a FortiCloud account and a registered device to authenticate to other organizations’ devices (registered to other FortiCloud accounts) when FortiCloud SSO administrative login is enabled.
Fortinet observed real-world exploitation and took cloud-side actions (locking malicious accounts and temporarily disabling FortiCloud SSO). Even if organizations were fully updated for earlier FortiCloud SSO issues, this was described as a new attack path.
Affected Products and Versions
Multiple Fortinet products are affected, including::
- FortiOS: 7.6.0–7.6.5, 7.4.0–7.4.10, 7.2.0–7.2.12, 7.0.0–7.0.18
- FortiManager: 7.6.0–7.6.5, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.15
- FortiAnalyzer: 7.6.0–7.6.5, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.15
- FortiProxy / FortiWeb: also listed in NVD as affected when FortiCloud SSO is enabled
Note: FortiCloud SSO admin login is not enabled by default in factory settings, but may be enabled during device registration workflows unless explicitly disabled.
Observed Exploitation Chain
Fortinet’s incident analysis indicates that attackers have abused FortiCloud SSO access to authenticate to affected devices and subsequently create local administrator accounts to establish persistence.
In many cases, this initial access was followed by additional configuration changes, including modifications that could enable continued or expanded remote administrative access.
In response to the observed exploitation, Fortinet reported disabling abused FortiCloud accounts on January 23, temporarily disabling FortiCloud SSO at the cloud level on January 26, and restoring the service on January 27 with additional restrictions designed to prevent logins from vulnerable firmware versions.
Indicators of Compromise (IOCs) Published by Fortinet
Fortinet published concrete IOCs and log artifacts to support validation and threat hunting.
Observed SSO login usernames
- cloud-noc@mail.io
- cloud-init@mail.io
Observed source IPs (Fortinet-confirmed)
- 104[.]28.244.115
- 104[.]28.212.114
Additional source IPs (third-party reporting, included by Fortinet)
- 37[.]1.209.19
- 217[.]119.139.50
Observed malicious local admin usernames (examples)
- audit
- backup
- itadmin
- secadmin
- support
Relevant log artifacts to hunt
- Successful administrative logins using FortiCloud SSO (e.g., method=”sso”, ui=”sso(<ip>)”, user=”<IOC email>”)
- Creation of new administrative users under system.admin shortly after an SSO login event
Mitigation and Recommendations
Apply the latest patch. Fortinet has released fixed firmware versions addressing CVE-2026-24858 across affected product lines.
Disable FortiCloud SSO administrative login where not required, especially on internet-exposed management planes. Fortinet provided a GUI and CLI approach: set admin-forticloud-sso-login disable.
Restrict administrative interface access by setting local-in policy / trusted IP allowlisting for management access.
For more details, please see the official guidance from Fortinet here.
Stay Safe. Stay Secure
OP Innovate Research Team
