Full Report
More work for admins on the cards as they await a full dump of fixes Things aren't over yet for Fortinet customers – the security shop has disclosed yet another critical FortiCloud SSO vulnerability.…
Analysis Summary
# Vulnerability: Critical FortiCloud SSO Authentication Bypass (Post-December Patch)
## CVE Details
- CVE ID: CVE-2026-24858
- CVSS Score: 9.4 (Critical)
- CWE: Authentication Bypass (Inferred from description)
## Affected Systems
- Products: FortiOS, FortiManager, FortiAnalyzer, FortiProxy
- Versions: Vulnerable versions awaiting recommended upgrades outlined in the advisory. (Specific version ranges noted as pending full dump of fixes)
- Configurations: Systems utilizing FortiCloud SSO authentication enabled via administrative registration on the device GUI.
## Vulnerability Description
CVE-2026-24858 is an authentication bypass vulnerability stemming from an alternate attack path that was not fully mitigated by previous December patches (related to CVE-2025-59718/CVE-2025-59719). The flaw allows an attacker who possesses a FortiCloud account and a registered device to log into other devices registered to different accounts, provided FortiCloud SSO authentication is enabled on the target devices. The original implied mechanism involved bypassing SSO checks via specially crafted SAML responses.
## Exploitation
- Status: Exploited in the wild (Two malicious FortiCloud accounts were confirmed to have exploited this path prior to blocking on January 22).
- Complexity: Medium (Requires an attacker to have a FortiCloud account and target devices configured with the feature).
- Attack Vector: Network
## Impact
- Confidentiality: High (Implied ability to access systems intended for other users/accounts)
- Integrity: High (Implied ability to perform actions with elevated privileges on target devices)
- Availability: Medium/High (If exploited to disrupt management functions)
## Remediation
### Patches
- Customers are instructed to upgrade to the version recommended in the security advisory to restore FortiCloud SSO services. Safe releases are available for some versions, but full patching is still in progress for most affected products.
### Workarounds
- Fortinet disabled FortiCloud SSO connections made from vulnerable versions as of the advisory release date.
- Administrators should verify if the "Allow administrative login using FortiCloud SSO" toggle was disabled during device registration, as this feature is not enabled by default factory settings.
## Detection
- Indicators of Compromise: Monitoring for successful authentication attempts on devices using FortiCloud SSO credentials that do not correspond to the expected administrative account identity (i.e., account hopping).
- Detection methods and tools: Analysis of authentication logs on affected FortiGate, FortiManager, FortiAnalyzer, and FortiProxy devices for anomalies related to FortiCloud SSO logins that violate standard authorization policies.
## References
- Vendor advisories: https://fortiguard.fortinet.com/psirt/FG-IR-26-060 (Defanged)