🚨 CRITICAL ALERT: Active Zero-Day Exploits

Fortinet FortiCloud SSO authentication bypass vulnerability CVE-2026-24858 (CVSS 9.8) is under active exploitation in the wild as a zero-day. Attackers with a valid FortiCloud account and registered device can bypass authentication to gain admin access to Fortinet devices registered to other accounts. Listed in CISA KEV on 2026-01-27. Immediate patching and mitigation required to prevent full network compromise.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2026-24858 (CVSS: 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiAnalyzer 7.6.0-7.6.5, 7.4.0-7.4.9, 7.2.0-7.2.11, 7.0.0-7.0.15; FortiManager 7.6.0-7.6.5, 7.4.0-7.4.9, 7.2.0-7.2.11, 7.0.0-7.0.15; FortiOS 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.12, 7.0.0-7.0.18; FortiProxy 7.6.0-7.6.4, 7.4.0-7.4.12, 7.2.0-7.2.15, 7.0.0-7.0.22; FortiWeb 8.0.0-8.0.3, 7.6.0-7.6.6, 7.4.0-7.4.11 allows attackers with a FortiCloud account and registered device to log into other devices if FortiCloud SSO is enabled. View NVD | CISA KEV

⚡ Immediate Actions Required

1. Disable FortiCloud SSO NOW:

• FortiOS: config system global
set admin-forticloud-sso-login disable
end
• FortiManager/FortiAnalyzer: System Settings → SAML SSO → Turn OFF „Allow admins to login with FortiCloud“ OR config system saml
set forticloud-sso disable
end

2. Apply vendor patches immediately to all affected versions.

3. Verify FortiCloud SSO status across all internet-facing Fortinet devices—enabled by default during FortiCare registration unless explicitly disabled.

4. Monitor for suspicious admin logins from unknown FortiCloud accounts. Attack requires only network access and any valid FortiCloud account with a registered device.

Fortinet disabled vulnerable SSO logins server-side (Jan 26-27, 2026), but unpatched devices remain at risk. Act now to prevent unauthorized access and infrastructure takeover.