Fortinet disables FortiCloud SSO worldwide after critical cross-tenant login flaw is exploited

When Fortinet quietly shut off its FortiCloud single sign-on service for every customer on Jan. 26, administrators around the world abruptly lost a favored way to log in to their own firewalls and management consoles.

The decision was not a maintenance hiccup. It was an emergency response to a critical vulnerability, now tracked as CVE-2026-24858, that allowed attackers with their own FortiCloud accounts to sign in to other organizations’ Fortinet devices when a cloud-based SSO feature was enabled.

Security agencies have since labeled the flaw a top-tier risk. The Cybersecurity and Infrastructure Security Agency added it to the Known Exploited Vulnerabilities catalog on Jan. 27 with a remediation deadline of Jan. 30 for U.S. civilian agencies, calling on federal networks to patch or mitigate immediately.

A cross-tenant backdoor in cloud SSO

In a security advisory and supporting documentation, Fortinet described CVE-2026-24858 as an “Authentication Bypass Using an Alternate Path or Channel” affecting the FortiCloud SSO login feature used across multiple products, including FortiOS (which runs FortiGate firewalls), FortiManager, FortiAnalyzer, FortiProxy and FortiWeb.

The company said the weakness could let an attacker “with a FortiCloud account and a registered device … log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.”

The U.S. National Vulnerability Database assigned the bug a CVSS 3.1 score of 9.8 out of 10, classifying it as critical.

The vulnerability affects devices only when FortiCloud SSO is turned on for administrative logins. Fortinet has stressed that the feature is not enabled in factory-default settings. However, its advisory notes that behavior changes when customers register hardware to FortiCare, Fortinet’s support platform, using the web interface.

“When an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch ‘Allow administrative login using FortiCloud SSO’ … FortiCloud SSO login is enabled upon registration,” the company wrote.

That design meant many organizations likely had the cloud login path activated without separately deciding to rely on it as a primary access method, expanding the potential attack surface.

From unusual logins to a new zero-day

Fortinet disclosed two earlier FortiCloud SSO flaws in December 2025, CVE-2025-59718 and CVE-2025-59719, involving improper verification of cryptographic signatures in SAML-based SSO flows. Those issues were found during an internal code review and quickly patched.

In early January, however, Fortinet and threat intelligence firms began observing suspicious FortiCloud SSO activity that did not match the pattern of the December bugs. Logs at some customers showed successful SSO logins on devices that had already been updated, suggesting a previously unknown weakness in the authentication logic.

By around Jan. 21 and Jan. 22, Fortinet had confirmed that attackers were exploiting a new flaw that allowed FortiCloud SSO access to devices belonging to other tenants, even when the December vulnerabilities had been fixed.

In a Jan. 22 blog post titled “Analysis of Single Sign On (SSO) abuse on FortiOS,” Fortinet Chief Information Security Officer Carl Windsor said the company had identified malicious logins from a small number of FortiCloud accounts and urged customers to review administrative logs, search for unexpected local administrator accounts and disable FortiCloud SSO if it was not required.

One sample log entry published by Fortinet shows how the attacks appeared in device logs: an “Admin login successful” event using the FortiCloud user “cloud-init@mail.io” with the interface listed as “sso(104.28.244.115)” and login method “sso.”

Fortinet’s investigation found at least two FortiCloud accounts associated with the activity, commonly reported as cloud-noc@mail.io and cloud-init@mail.io. Once they logged in through SSO, the attackers typically created new local administrator accounts with names such as “audit,” “backup,” “itadmin,” “secadmin,” “support,” “backupadmin,” “deploy,” “remoteadmin,” “security,” “svcadmin” and “system.”

Attackers also downloaded configuration files, which can contain network topologies, firewall policies and sometimes credentials, and in some cases made changes that could facilitate longer-term remote access.

Fortinet said it locked the malicious FortiCloud accounts on Jan. 22 to stop further logins via that specific path.

A global kill switch for cloud login

Even after the abusive accounts were disabled, the underlying weakness in FortiCloud SSO remained. On Jan. 26, Fortinet took the unusual step of disabling the entire FortiCloud SSO service on the cloud side for all customers, regardless of whether they had seen suspicious activity.

The company described the move as a protective measure while it completed its investigation and prepared patches.

Shutting off SSO meant administrators could no longer use FortiCloud accounts to sign in to FortiGate firewalls and other appliances that relied on the feature. Organizations had to fall back on local administrator credentials or alternate identity providers, in some cases on short notice.

On Jan. 27, Fortinet published its formal Product Security Incident Response Team advisory for the issue, identified as FG-IR-26-060, and registered CVE-2026-24858. At the same time, it re-enabled the FortiCloud SSO service, but with new server-side controls that reject SSO logins from devices running vulnerable software.

“FortiCloud SSO login will not be permitted for devices running affected versions until they are upgraded to a fixed release,” the advisory said.

Fortinet also outlined defense-in-depth steps for customers, including disabling FortiCloud SSO locally via configuration settings, restricting administrative access to management networks or specific IP ranges, and carefully auditing administrator accounts and configuration downloads.

Patching across the product line

By Jan. 28, new builds including fixes for CVE-2026-24858 had begun rolling out across several product families. FortiOS 7.4.11 includes the patch, with additional fixed versions planned for supported 7.0, 7.2 and 7.6 branches. Updated releases for FortiManager, FortiAnalyzer, FortiProxy and FortiWeb are also being delivered or scheduled.

National cybersecurity agencies have moved quickly to push organizations toward remediation. The CISA directive effectively gives U.S. civilian agencies three days from listing to address the issue, either by applying vendor patches, upgrading to nonaffected versions or implementing documented mitigation steps. In the United Kingdom, NHS England’s National Cyber Security Operations Centre issued an alert urging health sector organizations to assess their exposure and patch where possible.

Fortinet has not publicly disclosed how many customers or devices were accessed using the new vulnerability. In public statements, the company has characterized the number of impacted organizations as limited. Security firms that tracked the activity say they have seen cases across both enterprise environments and managed service providers.

There has been no public attribution of the attacks to a particular group or country. The observed tactics — creation of persistent administrator accounts and configuration exfiltration — are consistent with efforts to establish durable access rather than solely to deploy ransomware or conduct immediate financial theft, but investigators have not drawn firm conclusions about motive.

Second SSO crisis in six weeks

The new flaw arrives less than two months after Fortinet’s disclosure of the earlier FortiCloud SSO signature verification bugs. Together, the incidents underscore the challenges of securing complex single sign-on implementations in widely deployed security infrastructure.

In his January blog post, Windsor cautioned that while the observed attacks had targeted FortiCloud SSO, the underlying issues related to SAML-based SSO logic within Fortinet’s products more broadly. He said Fortinet was reviewing SAML SSO implementations across its portfolio and recommended that customers scrutinize their SSO configurations and logs.

Industry analysts note that security appliances and identity systems have become high-value targets as more organizations centralize access control in a small number of platforms. Previous waves of vulnerabilities in virtual private network appliances and gateway products at other vendors have been used as initial access points in espionage and criminal campaigns.

In this case, a single cloud-based SSO feature, when misused, could bridge network boundaries between unrelated customers.

What organizations should do

Security agencies and Fortinet are urging organizations that rely on Fortinet gear to first determine whether FortiCloud SSO administrative login is or was enabled on their devices, then confirm their software versions against Fortinet’s list of fixed releases.

Administrators are advised to search logs for past logins via FortiCloud SSO, especially from the known malicious accounts, and to look for unexpected local admin accounts and configuration exports. Where compromise is suspected, experts recommend removing rogue accounts, rotating credentials, reviewing VPN and remote access settings and conducting broader incident response as needed.

Longer term, security practitioners say organizations should review their use of vendor-hosted SSO for critical network infrastructure and consider how management interfaces are exposed. Segmenting management planes onto restricted networks, enforcing multifactor authentication and limiting reliance on cloud SSO paths are among the measures often recommended.

Fortinet, which says its products secure hundreds of thousands of customers worldwide, has stated that it is continuing to investigate CVE-2026-24858 and monitor for additional malicious use.

For now, the flaw has turned FortiCloud SSO from a convenience feature into a point of scrutiny, as network operators and regulators work to close off a rare cross-tenant access path in one of the industry’s most widely deployed security platforms.