Arctic Wolf reported a wave of automated attacks targeting Fortinet FortiGate firewalls beginning January 15, 2026. The attackers exploited CVE-2026-24858, a critical FortiCloud SSO authentication bypass, to gain administrative access, create backdoor accounts, and exfiltrate firewall configurations—even on devices patched against previous FortiCloud SSO vulnerabilities.
Vulnerability overview
| Field | Value |
|---|
| CVE | CVE-2026-24858 |
| CVSS | 9.8 (Critical) |
| Type | Authentication Bypass Using an Alternate Path |
| CWE | CWE-288 |
| Attack Vector | Network (FortiCloud SSO) |
| Authentication | Requires any FortiCloud account |
| CISA KEV | Added January 27, 2026 |
| Patch Deadline (FCEB) | February 18, 2026 |
Timeline
| Date | Event |
|---|
| January 15, 2026 | Arctic Wolf first observes automated attack cluster |
| January 20, 2026 | Multiple Fortinet customers report unauthorized admin account creation |
| January 22, 2026 | Two malicious FortiCloud accounts locked out by Fortinet |
| January 23, 2026 | Fortinet confirms this is a distinct vulnerability, not a patch bypass |
| January 26, 2026 | Fortinet temporarily suspends all FortiCloud SSO authentication globally |
| January 27, 2026 | Fortinet publishes PSIRT advisory; CISA adds to KEV catalog |
| January 27, 2026 | FortiCloud SSO restored only for patched devices |
| January 28, 2026 | FortiOS 7.6.6 and 7.4.11 released with patches |
The vulnerability
CVE-2026-24858 allows anyone with a FortiCloud account and a registered device to authenticate to devices registered by other FortiCloud users—if FortiCloud SSO is enabled.
| Requirement | Details |
|---|
| Attacker needs | Any FortiCloud account |
| Attacker needs | At least one registered device |
| Target requirement | FortiCloud SSO enabled |
| Authentication | Bypasses normal user verification |
This is the third FortiCloud SSO authentication bypass discovered in recent months:
| CVE | Discovery | Relationship |
|---|
| CVE-2025-59718 | December 2025 | Original SSO bypass |
| CVE-2025-59719 | December 2025 | Related bypass |
| CVE-2026-24858 | January 2026 | New distinct vulnerability |
Critical finding: Devices patched for the previous CVEs remained vulnerable to CVE-2026-24858.
Attack characteristics
Arctic Wolf observed all attack events completing within seconds of each other, indicating fully automated tooling:
Attack chain
| Phase | Action | Time |
|---|
| 1 | Authenticate via FortiCloud SSO to victim device | Seconds |
| 2 | Create backdoor admin accounts for persistence | Seconds |
| 3 | Enable VPN access for alternative entry points | Seconds |
| 4 | Download full device configurations | Seconds |
Observed backdoor account names
| Account name | Purpose |
|---|
audit | Appears legitimate |
backup | Appears legitimate |
itadmin | Appears legitimate |
secadmin | Appears legitimate |
remoteadmin | Appears legitimate |
The December 2025 campaign used similar techniques, suggesting the same threat actor or shared tooling between campaigns.
What attackers gain
Stolen FortiGate configurations provide attackers with:
| Data | Risk |
|---|
| Internal IP ranges | Network topology mapping |
| Routing tables | Attack path planning |
| VPN configurations | Persistent remote access |
| LDAP/AD credentials | Domain compromise |
| Firewall rules | Security gap identification |
| SSL VPN settings | Alternative access methods |
This information enables targeted follow-on attacks against the victim’s internal network.
Post-compromise capabilities
| Capability | Impact |
|---|
| Network reconnaissance | Full visibility into internal structure |
| Credential reuse | LDAP/AD credentials enable domain attacks |
| Persistent access | VPN accounts provide ongoing entry |
| Firewall manipulation | Disable security controls |
| Lateral movement | Use compromised firewall as pivot point |
Affected products and patches
Affected products
| Product | Vulnerable |
|---|
| FortiOS | Yes |
| FortiManager | Yes |
| FortiWeb | Yes |
| FortiProxy | Yes |
| FortiAnalyzer | Yes |
Fixed versions
| Product | Fixed Version | Status |
|---|
| FortiOS | 7.6.6 | Released |
| FortiOS | 7.4.11 | Released |
| FortiManager | In progress | Patches pending |
| FortiAnalyzer | In progress | Patches pending |
Devices running earlier versions must upgrade. FortiCloud SSO is now only enabled for devices running patched firmware.
Internet exposure
The exploitation appears limited to devices with management interfaces exposed to the internet.
| Metric | Value |
|---|
| Exposed instances (Shadowserver) | ~10,000 globally |
| US exposure | ~25% of total |
| FortiCloud SSO enabled | Required for exploitation |
Fortinet’s emergency response
Fortinet took the unusual step of globally suspending FortiCloud SSO as an emergency mitigation:
| Date | Action |
|---|
| January 22, 2026 | Two malicious FortiCloud accounts locked |
| January 26, 2026 | FortiCloud SSO disabled globally |
| January 27, 2026 | SSO re-enabled only for patched devices |
“This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on [January 22, 2026].”
Observed malicious activity
On fully upgraded Fortinet devices, the following malicious activity was observed:
| Activity | Indicator |
|---|
| Unauthorized firewall configuration changes | Modified rules, policies |
| Unauthorized account creation | New admin accounts |
| VPN configuration changes | New VPN users, modified settings |
| Configuration exports | Full device config downloads |
| Priority | Action |
|---|
| 1 | Disable FortiCloud SSO until patches are applied |
| 2 | Audit admin accounts—remove unauthorized accounts |
| 3 | Review firewall configurations for unauthorized changes |
| 4 | Restore from clean backup if modifications found |
| 5 | Rotate all credentials stored on or connected to FortiGate |
| 6 | Apply patches—upgrade to FortiOS 7.6.6 or 7.4.11 |
| 7 | Block management interface exposure to internet |
Disabling FortiCloud SSO
Navigate to: System → Settings
Set "Allow administrative login using FortiCloud SSO" to Off
Credential rotation requirements
| Credential type | Action |
|---|
| FortiGate admin accounts | Reset passwords |
| LDAP service accounts | Rotate in Active Directory |
| VPN user credentials | Force password reset |
| API keys | Regenerate |
| RADIUS shared secrets | Update on both ends |
Detection indicators
Monitor for:
| Indicator | Meaning |
|---|
| FortiCloud SSO logins from unfamiliar accounts | Unauthorized access |
| New administrator account creation | Persistence mechanism |
| Configuration downloads or exports | Data exfiltration |
| VPN user account creation | Alternative access |
| Changes to firewall rules | Security weakening |
| SSL VPN setting modifications | Backdoor creation |
Log review queries
| Log source | Search for |
|---|
| FortiGate event logs | Admin account creation events |
| FortiCloud logs | SSO authentications from new sources |
| Configuration change logs | VPN, user, rule modifications |
Recommendations
For affected organizations
| Priority | Action |
|---|
| Critical | Patch immediately (FortiOS 7.6.6/7.4.11) |
| Critical | Audit for IOCs listed above |
| Critical | Assume compromise if FortiCloud SSO was enabled |
| High | Rotate all stored credentials |
| High | Remove internet exposure of management interfaces |
| Ongoing | Monitor for unauthorized changes |
For security teams
| Priority | Action |
|---|
| Critical | Inventory all Fortinet devices |
| High | Verify patch status across fleet |
| High | Hunt for backdoor accounts |
| High | Review configuration integrity |
| Medium | Evaluate FortiCloud SSO necessity |
| Ongoing | Monitor Fortinet security advisories |
Context
The repeated discovery of critical authentication bypasses in FortiCloud SSO raises questions about the underlying architecture. This is the third critical SSO bypass in recent months, and devices patched for previous vulnerabilities remained vulnerable.
Organizations should evaluate whether cloud-based single sign-on for security infrastructure introduces unacceptable risk, particularly when the authentication service itself becomes a target.
Fortinet’s decision to globally suspend FortiCloud SSO while patching indicates the severity of the threat. Organizations should maintain the ability to manage Fortinet devices through alternative methods when cloud services are unavailable.
The pattern of repeated SSO vulnerabilities suggests that FortiCloud SSO may warrant additional architectural scrutiny before re-enabling in production environments.
