Full Report
Attackers have exploited the critical defect to reconfigure firewall settings, create unauthorized accounts with privileged access to multiple versions of the vendor’s security products. The post Fortinet’s latest zero-day vulnerability carries frustrating familiarities for customers appeared first on CyberScoop.
Analysis Summary
# Vulnerability: FortiCloud SSO Authentication Bypass Leading to Privilege Escalation
## CVE Details
- CVE ID: CVE-2026-24858
- CVSS Score: 9.8 (Critical)
- CWE: Authentication Bypass (Inferred, based on description)
## Affected Systems
- Products: FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiWeb (All products integrating FortiCloud SSO)
- Versions: Multiple versions released in December (Awaiting specific vendor versions, but confirmed vulnerable versions are those running since December disclosures).
- Configurations: Instances with FortiCloud SSO enabled.
## Vulnerability Description
A critical zero-day vulnerability in the Single Sign-On (SSO) flow for FortiCloud allows an attacker who possesses a FortiCloud account and a registered device to log into devices registered to *other* accounts. This grants the attacker unauthorized privileged access, enabling them to reconfigure firewall settings, create unauthorized administrator accounts, and alter VPN configurations on the affected Fortinet products.
## Exploitation
- Status: Exploited in the wild (Confirmed by CISA KE catalog addition and vendor advisories, with exploitation noted earlier this month).
- Complexity: Low (Implied by successful real-world exploitation and authentication bypass capability).
- Attack Vector: Network (Requires FortiCloud access).
## Impact
- Confidentiality: High (Privileged access to sensitive configurations and data).
- Integrity: High (Ability to reconfigure firewall settings and manipulate credentials).
- Availability: Medium/High (Ability to disrupt service via configuration changes).
## Remediation
### Patches
- Patch information is currently **not available** based on the article. Fortinet has not yet released patches for the affected products.
### Workarounds
- Fortinet disabled FortiCloud SSO on Monday (prior to article date) and re-enabled it Tuesday with controls in place to prevent logins to devices running vulnerable software versions.
- Customers should consult the Fortinet security advisory for specific guidance, noting that the vendor has confirmed limitations on vulnerable software versions post-mitigation.
## Detection
- Indicators of Compromise (IOCs): Attackers utilized two malicious FortiCloud accounts that Fortinet blocked on Jan. 22. Specific IoCs should be referenced from the official Fortinet blog post mentioned in the source.
- Detection Methods and Tools: Monitoring of FortiCloud authentication logs and device administrative changes (firewall setting modifications, new account creation) correlated with the relevant timeframes. CISA has added this to their Known Exploited Vulnerabilities Catalog.
## References
- Vendor Advisory: fortiguard dot fortinet dot com/psirt/FG-IR-26-060
- CISA Alert (Guidance): cisa dot gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026
- Fortinet Analysis Blog: fortinet dot com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
- Vulnerability Database Linking: nvd dot nist dot gov/vuln/detail/CVE-2026-24858