Fortinet Blocks Exploited FortiCloud SSO Zero-Day

In late January 2026, Fortinet confirmed that a critical FortiCloud Single Sign-On (SSO) vulnerability was being actively exploited in the wild even affecting systems believed to be patched. The company has taken assertive steps to block exploitation from the server side while a proper software patch is developed and rolled out. This blog breaks down the vulnerability, how attackers are abusing it, and exactly what organizations must do to protect their networks.

What Is FortiCloud SSO and Why It Matters

FortiCloud SSO is a cloud-based Single Sign-On authentication service used with a range of Fortinet products including FortiOS, FortiManager, and FortiAnalyzer that allows administrators to log in through a central identity mechanism rather than local credentials. While this simplifies credential management, it also creates a broad attack surface if implemented insecurely. SSO solutions rely on secure handling of authentication tokens and assertions. If these mechanisms are flawed, attackers may trick a system into granting unauthorized access which is exactly what happened here.

The Vulnerability: CVE-2026-24858 Explained

Fortinet tracked the flaw as CVE-2026-24858, classifying it as critical with a high severity score (CVSS 9.4). Simply put, attackers could bypass authentication checks in the FortiCloud SSO implementation and gain administrative access to devices belonging to other customers even when those devices had been updated with the latest firmware available. This attack appears to exploit an alternate authentication path or channel inside FortiCloud SSO one not covered by existing patches. That means even devices patched against a previously disclosed vulnerability (CVE-2025-59718) remained at risk, complicating mitigation.

How Attackers Are Exploiting the Flaw

The exploitation has taken on a highly automated form:

• Threat actors were observed logging in via FortiCloud SSO using generic email accounts such as cloud-init@mail.io and cloud-noc@mail.io.

Once authenticated, attackers created unauthorized local administrator accounts on Fortinet devices.

• These accounts were used to modify configurations, open VPN access, and exfiltrate sensitive firewall configuration data.

Such administrative access undermines core network security, enabling lateral movement, data theft, and the undetected persistence of threat actors.

Fortinet’s Emergency Response

Recognizing the severity, Fortinet took several urgent mitigation steps while final patches were being developed:

1. Blocking Abusive FortiCloud Accounts

On January 22, Fortinet disabled specific FortiCloud accounts that were actively being abused by attackers.

2. Disabling FortiCloud SSO Globally

By January 26, FortiCloud SSO was temporarily disabled on FortiCloud servers to prevent further malicious login attempts.

3. Restoring FortiCloud SSO With Restrictions

On January 27, Fortinet restored SSO access but with controls that block devices with vulnerable firmware from authenticating via SSO. This server-side control effectively stops exploitation without requiring administrators to immediately disable SSO themselves.

What Administrators Should Do Right Now

While Fortinet’s measures protect many environments, organizations should also take defensive actions on their own networks. The following mitigation steps are strongly recommended:

1. Restrict Administrative Access

Implement firewall policies to limit administrative access only to specific trusted sources. Avoid exposing management interfaces directly to the internet.

2. Disable FortiCloud SSO (Temporary)

If FortiCloud SSO is enabled on your devices, consider disabling it until updated firmware patches are confirmed and applied. You can do this via CLI:

config system global set admin-forticloud-sso-login disable end

This ensures that authentication doesn’t happen through the cloud service until the fix is in place.

3. Monitor for Indicators of Compromise

Check logs for unauthorized login attempts from suspicious accounts or unexpected configurations. Look specifically for generic email identities and unfamiliar admin accounts signs commonly associated with this attack.

4. Patch as Soon as It’s Released

Once Fortinet publishes official patches for affected products (expected for FortiOS, FortiManager, and FortiAnalyzer), apply them quickly in your environment. A good patch management process will reduce the window of opportunity for threat actors.

5. Audit and Clean Up

If you suspect compromise, audit existing configurations for unauthorized accounts or changes. Restore configurations from known clean backups, rotate all credentials, and validate device integrity before putting them back into production.

Final Thoughts

This incident serves as a reminder that single sign-on implementations while convenient must be rigorously secured. Even widely used enterprise features can expose critical infrastructure if flaws are overlooked. Fortinet’s proactive server-side mitigation bought time for administrators, but organizations must use this time wisely to secure and patch their environments.

In an era of rapidly evolving threats, continuous monitoring, secure authentication practices, and disciplined patch management are non-negotiable components of a modern cybersecurity strategy.