Fortinet Confirms New Zero-Day Behind Malicious SSO Logins - Dark Reading

VULNERABILITIES & THREATS CYBER RISK IDENTITY & ACCESS MANAGEMENT SECURITY CYBERATTACKS & DATA BREACHES NEWS Fortinet Confirms New Zero-Day Behind Malicious SSO Logins To stop the ongoing attacks, the cybersecurity vendor took the drastic step of temporarily disabling FortiCloud single sign-on (SSO) authentication for all devices. Rob Wright,Senior News Director,Dark Reading January 28, 2026 4 Min Read SOURCE: POSTMODERN STUDIO VIA ALAMY STOCK PHOTO Fortinet confirmed that a new zero-day vulnerability under exploitation was the cause of a spate of malicious logins through FortiCloud's single sign-on (SSO) feature. The cybersecurity vendor on Tuesday disclosed CVE-2026-24858, a critical authentication bypass vulnerability with a CVSS score of 9.8 that affects FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. According to Fortinet's advisory, exploitation of the flaw allows an attacker to log in to a device using the FortiCloud SSO authentication feature. In short, a threat actor armed with an active FortiCloud account and a registered Fortinet device could use the vulnerability to log into another user's device as if it were their own, as long as SSO is enabled on the device. On the bright side, Fortinet noted that the FortiCloud SSO login feature is not enabled by default on devices. "However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration," thereby overriding the default, the advisory stated. Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos It's unclear how many Fortinet devices have the SSO feature enabled. Dark Reading contacted Fortinet for comment, but the vendor had not responded at press time. Fortinet Patch Bypass Fears Come True The disclosure of CVE-2026-24858 follows recent reports of malicious SSO logins on Fortinet devices, which echoed similar threat activity last month. In early December, Fortinet disclosed and patched a different vulnerability, tracked as CVE-2025-59718, that attackers use to bypass FortiCloud SSO login authentication. The flaw came under attack later that month, and the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. However, unconfirmed reports emerged from users on Reddit's r/Fortinet community last week that the malicious logins continued, even on devices that had been patched for CVE-2025-59718. In a Jan. 21 report, Arctic Wolf Labs said it observed unidentified threat actors accessing FortiGate firewalls via SSO logins to make configuration changes to the devices.  This led to concerns that attackers discovered a bypass for CVE-2025-59718's patch. Last Thursday, Fortinet chief information security officer (CISO) Carl Windsor said in a blog post that the company had observed malicious SSO logins on patched devices, and that Fortinet was investigating a potential "new attack path." Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical The disclosure of CVE-2026-24858, which CISA also added to its KEV catalog on Tuesday, at least partially confirmed those fears. Fortinet has not released the technical details for the new zero-day authentication bypass flaw, so it's unclear what connection if any exists to CVE-2025-59718. However, Windsor's blog post was updated recently to note that Fortinet "confirmed that this issue only impacts FortiCloud SSO and does not impact third-party SAML IdP or FortiAuthenticator implementations." The blog post initially stated that while threat activity had only been observed with FortiCloud SSO logins, "this issue is applicable to all SAML SSO implementations."  Regardless of the technical details, CVE-2026-24858 poses major risk to organizations. In a blog post today, threat intelligence vendor SOCRadar noted that attackers can access edge devices and gain administrative privileges. "Because FortiGate and related platforms often sit at the edge of enterprise networks, unauthorized admin access can expose sensitive configurations and create long-term security risks," SOCRadar said. Mitigating Exploitation of CVE-2026-24858 Fortinet's advisory noted that the exploitation of CVE-2026-24858 was traced to two FortiCloud accounts, which were disabled by the vendor Jan. 22. But Fortinet took even more drastic actions on Jan. 26 to stop the malicious logins by temporarily disabling the FortiCloud SSO feature for all accounts and devices. Related:Cisco SD-WAN Zero-Day Under Exploitation for 3 Years Fortinet re-enabled the feature Jan. 27, but it no longer supports login from devices running versions vulnerable to CVE-2026-24858. "Therefore disabling FortiCloud SSO login on client side is not necessary at the moment," the advisory stated. Fortinet urged customers to upgrade all devices running FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb to fixed versions. According to the advisory, the vendor is investigating whether FortiSwitch Manager is vulnerable to CVE-2026-24858. In an emailed advisory today, Shadowserver Foundation CEO Piotr Kijewski said the organization's scans revealed approximately 10,000 exposed Fortinet instances with FortiCloud SSO enabled. That number is a steep drop from the 25,000 exposed instances Shadowserver observed in mid-December following the exploitation of CVE-2025-59718. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE