Skip to Content

FortiCloud SSO Critical Vulnerability CVE-2026-24858

Fortinet confirms a critical, actively exploited FortiCloud SSO bypass (CVE-2026-24858) with CVSS 9.4. Learn the impact, mitigation steps, and how to protect your FortiGate devices.
27 January 2026 by
TechStora Editorial Board

Overview

Fortinet has disclosed a critical authentication bypass vulnerability in FortiCloud Single Sign‑On (SSO) identified as CVE-2026-24858. The flaw allows attackers to create new local administrator accounts even on fully patched devices, earning a CVSS score of 9.4 and being actively exploited in the wild.

Key Details

  • Vulnerability ID: CVE-2026-24858 – a zero‑day exploit targeting FortiCloud SSO.
  • Impact: Authentication bypass via an alternate authentication path, enabling creation of privileged accounts.
  • Exploitation: Attackers used compromised SSO accounts (e.g., cloud‑init@mail.io) to log in and add admin users such as admin, itadmin, secadmin.
  • Mitigation: Fortinet blocked FortiCloud SSO connections from vulnerable firmware and introduced a server‑side toggle; disabling SSO client‑side is no longer required.
  • Recommendations: Review all admin accounts, restore from clean backups, rotate credentials, and monitor for the listed IP indicators.

What to Do Next

Organizations should immediately restrict administrative access, verify that the server‑side block is active, and follow Fortinet’s advisory for remediation.

Stay protected – update your FortiGate devices today!