editorially independent. We may make money when you click on links
to our partners.
Learn More
Fortinet confirmed active exploitation of an authentication bypass flaw in FortiCloud SSO that could lead to administrative takeover of affected systems.
The issue allows unauthorized attackers to log in to devices they do not own, bypassing expected account boundaries.
This vulnerability “… may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” said Fortinet in its advisory.
Inside the Fortinet FortiCloud SSO Flaw
The vulnerability, tracked as CVE-2026-24858, affects FortiOS, FortiManager, FortiAnalyzer, and FortiProxy and carries a CVSS score of 9.4.
Successful exploitation of the vulnerability can grant attackers broad visibility and control across enterprise environments.
The issue stems from improper access control in the graphical user interface component associated with FortiCloud Single Sign-On (SSO).
Although FortiCloud SSO is not enabled by default, it is automatically activated during FortiCare registration through the GUI unless administrators explicitly disable the option to allow administrative login using FortiCloud SSO.
This behavior makes it easy for organizations to be exposed unintentionally, particularly in environments where default setup workflows are followed.
FortiCloud SSO is intended to simplify administration by allowing users to authenticate to Fortinet devices using FortiCloud credentials.
However, the vulnerability allows attackers who possess a valid FortiCloud account — and have registered at least one device — to authenticate to other Fortinet devices registered under different customer accounts.
This breaks intended account isolation and enables cross-tenant administrative access.
Exploitation does not require prior access to the target environment or advanced techniques.
Because the flaw operates directly at the authentication layer, attackers who successfully bypass access controls gain full administrative privileges upon login.
Active Exploitation in the Wild
Fortinet has confirmed that the vulnerability is being actively exploited in the wild at the time of publication.
During observed attacks, Fortinet reported that threat actors downloaded customer configuration files for reconnaissance purposes and created persistent local administrator accounts, enabling continued access even after remediation steps such as password changes.
According to the company, the attackers’ primary objectives appeared to be configuration exfiltration and privilege escalation.
Fortinet traced exploitation activity to two malicious FortiCloud accounts, which were locked on Jan. 22, 2026.
To limit further abuse, the company temporarily disabled FortiCloud SSO on January 26, re-enabled it the following day, and implemented cloud-side controls to block authentication attempts from devices running vulnerable software versions.
The company also noted that attackers shifted their infrastructure to Cloudflare-protected IP addresses, complicating traditional network-based detection methods.
Fortinet has shared indicators of compromise (IoCs) to assist organizations with threat hunting and stated that investigations into additional products, including FortiWeb and FortiSwitch Manager, are ongoing.
How to Mitigate Fortinet SSO Risks
A layered response that combines patching, access hardening, and continuous monitoring is essential to reducing risk.
- Immediately patch all affected Fortinet products using Fortinet’s upgrade path tool and confirm systems are running fixed versions.
- Disable FortiCloud SSO where it is not required and review configuration settings to prevent unintended re-enablement.
- Restrict access to management interfaces by limiting exposure to trusted networks, jump hosts, or VPN-only access.
- Review all administrative accounts for unauthorized additions, rotate credentials, and enforce least-privilege access controls.
- Centralize and monitor Fortinet logs for anomalous administrative activity, configuration exports, or privilege escalation.
- Enforce strong authentication controls, including MFA where supported, for all administrative access paths.
- Regularly test and update incident response plans to ensure teams can detect, contain, and recover from network device compromise scenarios.
Taken together, these measures help limit the blast radius of compromise and build long-term resilience against administrative-level attacks on network security infrastructure.
Authentication Flaws Create Enterprise Risk
This incident underscores how authentication flaws in cloud-integrated management features can quickly escalate into enterprise-wide risk when exploited at scale.
As network security platforms become more tightly coupled with centralized identity services, organizations must treat administrative access paths as critical infrastructure and continuously validate their security posture.
The Fortinet vulnerability highlights why zero-trust approaches that continuously verify users, devices, and access paths are becoming essential for securing modern network environments.
