Fortinet Patches Critical FortiOS SSO Authentication Bypass Under Active Attack
Take action: If you are using Fortinet FortiGate, this is important and urgent. Patch your device. Especially if you use FortiCloud SSO, because Fortinet has blocked vulnerable versions from using the SSO service.
Learn More
Fortinet released emergency security updates to fix a critical authentication bypass flaw in FortiOS, FortiManager, and FortiAnalyzer.
The flaw is tracked as CVE-2026-24858 (CVSS score 9.4) - authentication bypass via alternate path in FortiOS, FortiManager, FortiAnalyzer, and FortiProxy.to hijack devices.
The flaw allows an attacker with a valid FortiCloud account and a registered device to log into other devices registered to different accounts if FortiCloud Single Sign-On (SSO) is enabled.
Threat actors used this path to bypass authentication and gain full administrative control. After a successful breach, attackers created local administrator accounts to maintain access and modified configurations to grant themselves VPN entry. Attackers also stole firewall configuration files.
Fortinet identified and locked two malicious accounts, cloud-noc@mail.io and cloud-init@mail.io, used in these campaigns. The company's technical analysis confirms the breach involves unauthorized configuration changes.
Fortinet temporarily disabled FortiCloud SSO globally on January 26, 2026. They restored the service the following day but blocked all vulnerable firmware versions from connecting. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) requires federal agencies to patch by January 30, 2026.
Administrators must upgrade to the latest firmware versions immediately to restore SSO functionality and secure their environments. If a device shows signs of compromise, such as unexpected accounts named audit or support, treat it as fully breached.
Fortinet recommends restoring configurations from a known clean backup and rotating all credentials, including linked LDAP or Active Directory passwords.
