⬇️
Key Takeaways
- A new critical authentication bypass vulnerability (CVE-2026-24858) has been discovered affecting FortiCloud SSO, exploited despite previous December patches
- Multiple Fortinet products including FortiAnalyzer, FortiManager, FortiOS, and FortiProxy are affected, with patches still in development for most versions
- The vulnerability allows attackers with FortiCloud accounts to access other customers' devices when SSO authentication is enabled during registration
Administrators managing Fortinet infrastructure are facing another round of emergency responses after the company disclosed a separate critical vulnerability in its FortiCloud single sign-on implementation. The timing couldn't be worse—many organizations were still working through patches from December when user reports started surfacing about continued compromises.
Here's what makes this situation particularly frustrating: Fortinet patched two related SSO vulnerabilities back in December (CVE-2025-59718 and CVE-2025-59719), both involving authentication bypasses through crafted SAML responses. Organizations that diligently applied those patches assumed they were protected. They weren't.
Arctic Wolf security researchers first spotted the attacks around January 15, initially believing they were seeing exploitation of the December vulnerabilities. But as more FortiCloud SSO accounts showed signs of compromise despite being fully patched, it became clear something else was at play. Fortinet confirmed on January 22 that attackers had found an alternate path—a completely separate vulnerability now tracked as CVE-2026-24858 with a CVSS score of 9.4.
The new flaw is an authentication bypass that lets attackers with a FortiCloud account and at least one registered device log into other devices registered to different accounts. The attack requires FortiCloud SSO authentication to be enabled on target devices, but that's where the configuration defaults create problems.
The Default Settings Problem
While FortiCloud SSO isn't enabled in factory default settings, there's a catch. When administrators register devices to FortiCare through the device's graphical interface, the "Allow administrative login using FortiCloud SSO" toggle is enabled automatically unless specifically disabled during registration. How many admins carefully review every toggle during what's typically a routine registration process?
According to Fortinet's advisory, the company detected exploitation by two malicious FortiCloud accounts in the wild. Both were blocked as of January 22, and Fortinet disabled FortiCloud SSO connections from vulnerable versions across its infrastructure. That's good for containment, but it creates operational headaches for legitimate users who now find their SSO access disrupted.
The affected product list includes FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. Some versions have safe releases available already, though patches remain in development for most configurations. FortiWeb and FortiSwitch Manager are still under investigation to determine their exposure.
Broader Implications for SAML-Based SSO
Carl Windsor, CISO at Fortinet, raised a concerning point when the company first acknowledged the bypass on January 22: while the observed attacks specifically targeted FortiCloud SSO, all SAML-based SSO implementations potentially share similar vulnerabilities. That's a sobering thought for organizations relying on SAML across their authentication infrastructure.
This incident highlights the complexity of modern authentication systems. SAML has been the enterprise standard for SSO for years, but its flexibility creates multiple potential attack surfaces. When vendors implement SAML, they're making numerous technical decisions about token handling, response validation, and session management. Miss something in one of those implementation details, and you've created an alternate path for attackers.
What should administrators do right now? First, check Fortinet's latest advisory for specific version recommendations and upgrade paths. Second, if your organization uses FortiCloud SSO, verify whether it's actually necessary for your operations. Third, review your device registration processes to ensure that SSO toggles aren't being automatically enabled without conscious decisions.
The pattern here is troubling. This isn't Fortinet's first rodeo with critical vulnerabilities this month—the company has disclosed multiple zero-days under active exploitation recently. For a security vendor, that's a tough position to be in. Organizations build their network perimeters around these products, trusting them to be the hardened barrier between internal assets and external threats.
Waiting for complete patches while simultaneously managing disrupted SSO functionality puts IT teams in a difficult spot. They need to maintain operational access for legitimate users while closing off attack vectors that are already being exploited. It's the kind of juggling act that makes for long nights in network operations centers.
The situation remains fluid. Administrators should monitor Fortinet's security advisories closely and prepare for additional patches as the investigation into FortiWeb and FortiSwitch Manager continues.
