Fortinet has confirmed a critical zero-day authentication bypass vulnerability, tracked as CVE-2026-24858, affecting its FortiCloud Single Sign-On (SSO) implementation. This flaw allows remote attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices, even if they were previously patched against earlier vulnerabilities. The company has already observed active exploitation where attackers used rogue accounts to exfiltrate firewall configurations and create local administrator accounts.
In response to the ongoing threat, Fortinet has implemented server-side mitigations by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. While official patches are still under development, the company has restored restricted SSO access and provided manual commands for administrators to disable the feature if necessary. Organizations that detect indicators of compromise, such as unknown admin accounts or connections from suspicious IP addresses, are urged to treat their systems as fully compromised and rotate all credentials immediately.
Top comments (0)