FORTINET has confirmed a new zero-day vulnerability, CVE-2026-24858, described as a critical authentication bypass that enables login to a device via FortiCloud SSO when SSO is enabled. The advisory notes a CVSS score of 9.8 and that the flaw affects FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb, allowing an attacker to log in to a device using FortiCloud SSO authentication.
According to Fortinet's advisory, exploitation requires an active FortiCloud account and a registered Fortinet device, and in practice a threat actor could log in as another user if SSO is enabled. Fortinet disabled FortiCloud SSO for all accounts and devices on 26 January to stop the exploitation, after initially tracing exploitation to two FortiCloud accounts on 22 January, and later re-enabled the feature on 27 January for devices not vulnerable to CVE-2026-24858.
Shadowserver Foundation later said their scans indicated about 10,000 exposed Fortinet instances with FortiCloud SSO enabled, a large drop from about 25,000 in mid-December. Fortinet urged customers to upgrade to fixed FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb versions and noted it is investigating FortiSwitch Manager vulnerability.