Fortinet has confirmed a critical zero-day vulnerability (CVE-2026-24858) in its FortiCloud Single Sign-On (SSO) system, which is currently being exploited in the wild. The flaw allows attackers to bypass authentication and gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices, even if they were patched against previous vulnerabilities. This vulnerability is rated as critical with a CVSS score of 9.4.
Attackers have been observed using rogue FortiCloud accounts to log into devices and create various local administrator accounts to maintain persistence and exfiltrate configurations. While patches are still in development, Fortinet has implemented server-side mitigations by blocking SSO connections from devices running vulnerable firmware. Administrators are advised to review logs for indicators of compromise and consider manually disabling FortiCloud SSO via the command line as an additional precaution.
Top comments (0)