A serious flaw, classified as CVE-2026-24858, has been confirmed to be exploited in real-world attacks against vulnerable devices.
This isn’t a theoretical warning or an isolated problem: attackers have already breached networks using techniques that bypass authentication controls that many considered secure.
The root of the problem is a logic flaw in the way Fortinet handles single sign-on (SSO) sessions through FortiCloud. This flaw allows an attacker with a valid FortiCloud account and a registered device to access other devices without the correct credentials, completely bypassing the normal authentication process .
The core of the vulnerability lies in the FortiCloud SSO feature. While this option isn’t enabled by default on devices shipped from the factory, it often becomes active during standard administrative procedures, such as enrolling the device in FortiCare via the graphical interface.
The worst-case scenario has already materialized: two FortiCloud accounts controlled by malicious actors were identified as exploiting the vulnerability to gain unauthorized access to customer networks. Once inside, the attackers didn’t just log in once, but created persistent local administrative accounts to maintain control even after the initial session was closed.
Fortinet, which reported the exploit , responded promptly: on January 22, 2026, the compromised accounts were blocked, and on January 26, the entire FortiCloud SSO mechanism was temporarily disabled on the server side to prevent further abuse. The next day, the service was reactivated with restrictions , preventing devices with vulnerable versions from logging in until the necessary updates were applied.
System administrators should not ignore this bulletin. It is essential to analyze access logs for suspicious emails used by attackers and monitor traffic from known IP addresses associated with attacks.
A permanent fix for this flaw cannot be achieved with a simple server-side block: devices must be updated to the latest firmware versions to restore full security and allow the safe return of SSO service.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
