Safa Marwah
Fortinet, a prominent cybersecurity solutions provider, has initiated a critical server-side mitigation strategy to counteract an actively exploited zero-day authentication bypass vulnerability affecting its FortiCloud single sign-on (SSO) service. Tracked as CVE-2026-24858, this severe flaw carries a CVSS score of 9.4, underscoring its potential for widespread compromise. The company’s decisive action involves blocking vulnerable FortiCloud SSO connections, effectively halting ongoing attacks while permanent patches for FortiOS, FortiManager, and FortiAnalyzer platforms are still under development.
The confirmed vulnerability represents a significant challenge to enterprise security, enabling malicious actors to circumvent authentication mechanisms and gain unauthorized administrative access to a broad spectrum of Fortinet devices registered to various customers. This exploit path persisted even on systems previously updated to address an earlier, related critical vulnerability, highlighting the sophisticated nature of the attack. The incident underscores the inherent risks associated with identity and access management solutions when fundamental authentication processes are compromised, particularly within cloud-integrated security infrastructures.
Unraveling the Exploitation Narrative
The alarm bells first sounded on January 21, when Fortinet customers began reporting suspicious activity on their FortiGate firewalls. These reports indicated unauthorized access, specifically the creation of new local administrator accounts via FortiCloud SSO, on devices running what was believed to be the latest, patched firmware. Initial speculation erroneously linked these breaches to a potential bypass of CVE-2025-59718, another critical FortiCloud SSO authentication bypass flaw that Fortinet had addressed with patches in December 2025. This earlier vulnerability had also seen active exploitation, leading to a natural assumption of a recurrence or a clever circumvention of the prior fix.
However, the emerging pattern of compromise suggested a more insidious mechanism. Administrators observed attackers logging into FortiGate devices using specific email addresses, notably "[email protected]," and subsequently establishing new, unauthorized local administrative accounts. The consistency of these indicators of compromise (IoCs) with those observed during the December 2025 campaign created a perplexing scenario for security teams.
By January 22, cybersecurity firm Arctic Wolf corroborated the ongoing attacks, characterizing them as automated and highly efficient. Their analysis revealed that within mere seconds of initial access, attackers were able to create rogue administrative and VPN-enabled accounts, alongside the exfiltration of critical firewall configurations. This rapid operational tempo further solidified the suspicion that a novel, unpatched attack vector was at play, distinct from a simple bypass of the December fix. The attackers’ ability to automate these steps across multiple targets pointed to a well-resourced and coordinated campaign.
Fortinet’s Confirmation of an Alternate Attack Path
On January 23, Fortinet officially confirmed the existence of an alternate authentication pathway that remained exploitable even on fully updated systems. Carl Windsor, Fortinet’s CISO, acknowledged that devices running the most current firmware versions were indeed being compromised, unequivocally pointing to a previously unknown vulnerability. This revelation shifted the focus from a patch bypass to a genuine zero-day flaw.
The vulnerability, now formally designated CVE-2026-24858 in a PSIRT advisory published on January 27, is described as an "Authentication Bypass Using an Alternate Path or Channel." It specifically targets improper access control within the FortiCloud SSO implementation. The core mechanism allows an attacker possessing a valid FortiCloud account and a registered device to authenticate to other customers’ devices, provided FortiCloud SSO was enabled on those target systems.
While FortiCloud SSO is not enabled by default, Fortinet clarified a crucial detail: the feature automatically activates when a device is registered with FortiCare, unless it is manually disabled post-registration. This default behavior significantly expands the potential attack surface for this vulnerability, as many organizations likely enable FortiCloud SSO for convenience or management purposes without explicitly reviewing its status after initial device registration.
Critically, Fortinet also issued a broader warning: while current observations indicated exploitation solely through FortiCloud SSO, the underlying issue is applicable to all SAML-based SSO implementations. This implication expands the potential impact beyond Fortinet’s immediate ecosystem, signaling a fundamental flaw in how certain SAML SSO processes might be handled, potentially affecting other vendors utilizing similar authentication architectures. This highlights a systemic risk in the prevalent use of SAML for enterprise identity federation.
The Anatomy of the Attack and Indicators of Compromise
Fortinet’s investigation identified two specific malicious FortiCloud SSO accounts implicated in the exploitation: "[email protected]" and "[email protected]." These accounts were subsequently locked out on January 22 as part of Fortinet’s initial response.
Upon successful breach, the attackers engaged in a consistent pattern of post-exploitation activity. This typically involved the downloading of customer configuration files, a critical step for understanding network topology, gaining credentials, and planning further lateral movement. Concurrently, the attackers created new administrative accounts on the compromised devices. The observed account names included: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, and svcadmin, indicating a strategy to establish persistent backdoors and blend in with legitimate administrative users.
The connections originating from the attackers were traced to a specific set of IP addresses, providing valuable indicators for detection and blocking:
- 104.28.244.115
- 104.28.212.114
- 104.28.212.115
- 104.28.195.105
- 104.28.195.106
- 104.28.227.106
- 104.28.227.105
- 104.28.244.114
Additionally, third-party observations noted further malicious activity originating from37.1.209.19and217.119.139.50, broadening the scope of the threat actor’s infrastructure. These IoCs are vital for organizations to scan their logs and network traffic for signs of compromise.
Emergency Mitigation and Ongoing Remediation
In response to the active exploitation and prior to the availability of specific patches, Fortinet implemented a crucial server-side change. This intervention effectively blocks FortiCloud SSO connections originating from devices running vulnerable firmware versions, regardless of whether FortiCloud SSO remains enabled on the client side. This proactive measure provides an immediate, albeit temporary, shield against the ongoing attacks, alleviating the immediate pressure on administrators to manually disable the feature.
While this server-side block is effective, Fortinet still advises customers to exercise caution, particularly given the broader applicability of the flaw to other SAML-based SSO implementations. For organizations wishing to manually disable FortiCloud SSO as an additional layer of defense or for those concerned about other SAML integrations, the following command can be executed:
config system global
set admin-forticloud-sso-login disable
endThis command offers granular control, allowing administrators to disable the FortiCloud SSO login functionality specifically for device administration.
Fortinet’s engineering teams are actively developing patches for FortiOS, FortiManager, and FortiAnalyzer. The investigation is also ongoing to determine whether other Fortinet products, such as FortiWeb and FortiSwitch Manager, are similarly affected by this critical flaw.
Broader Implications and Recommended Post-Breach Actions
The exploitation of CVE-2026-24858 carries profound implications for enterprise security. The compromise of firewall devices, which serve as critical network perimeters, can lead to complete network subjugation, data exfiltration, and the establishment of persistent access points for future attacks. The ability to gain administrative control over these devices fundamentally undermines an organization’s security posture.
For any customer who identifies the aforementioned indicators of compromise in their logs, Fortinet’s recommendation is unequivocal: treat the affected devices as fully compromised. This mandates a comprehensive incident response protocol, including:
- Reviewing All Administrator Accounts: Scrutinize all existing administrative accounts for unauthorized additions, modifications, or suspicious activity. Any newly created or suspicious accounts must be immediately disabled.
- Restoring Configurations from Known-Clean Backups: To ensure the integrity of the device and eliminate any persistent backdoors or malicious configurations, organizations should restore their device configurations from backups known to predate the compromise. This is a critical step to guarantee a clean slate.
- Rotating All Credentials: All administrative credentials associated with the compromised devices, and potentially other interconnected systems, must be immediately rotated. This includes local accounts, service accounts, and any credentials used for cloud management interfaces. Multi-factor authentication (MFA) should be enforced universally where possible.
Beyond immediate remediation, this incident serves as a stark reminder of the persistent threats targeting identity and access management systems. SSO, while offering convenience and efficiency, consolidates authentication risk. A single vulnerability in an SSO provider can expose an entire ecosystem of connected services. Organizations must adopt a "assume breach" mentality and implement layered security controls, including robust network segmentation, continuous monitoring for anomalous activity, and regular security audits of all authentication mechanisms.
The incident also highlights the complexities of managing vulnerabilities in interconnected cloud services. The automatic enabling of FortiCloud SSO upon FortiCare registration, coupled with the critical nature of the vulnerability, underscores the need for organizations to meticulously review default configurations and actively manage the attack surface presented by cloud-integrated features. As cloud adoption accelerates, the security implications of such integrations become increasingly paramount.
Future Outlook and Lessons Learned
While Fortinet’s server-side block provides immediate relief, the long-term solution lies in the deployment of comprehensive patches. The swift development and thorough testing of these patches are crucial to restore full confidence in Fortinet’s security offerings. This incident is a testament to the dynamic nature of cybersecurity threats, where even seemingly patched systems can harbor latent vulnerabilities exploitable through alternate paths.
The broader lesson for the cybersecurity community is the imperative of defense-in-depth and the continuous validation of security controls. Relying solely on patches, while necessary, is insufficient. Organizations must implement robust monitoring capabilities to detect anomalous authentication attempts, unusual administrative account creation, and suspicious configuration changes. Furthermore, the incident reinforces the importance of threat intelligence sharing and rapid response capabilities to mitigate the impact of zero-day exploits effectively. As identity becomes the new perimeter, the security of SSO implementations and the vigilance of security teams in managing them will remain a critical determinant of organizational resilience against sophisticated cyber threats.
Ayu Aulia
Ridwan Kamil
Aura Kasih