FORTINET has released patches for a critical FortiOS flaw, CVE-2026-24858, described as an authentication bypass via FortiCloud SSO, with a CVSS score of 9.4, and it affects FortiOS, FortiManager and FortiAnalyzer. According to Fortinet, two malicious FortiCloud accounts were blocked on 22 January 2026, and to stop abuse FortiCloud SSO was disabled on 26 January before being re‑enabled on 27 January.
The company says that attacks have bypassed FortiCloud SSO on fully patched devices, with threat actors automating firewall changes, adding users, enabling VPNs and exporting configurations in campaigns resembling a December 2025 exploit of critical FortiCloud SSO flaws.
Arctic Wolf researchers observed a new automated attack cluster targeting FortiGate devices from around 15 January 2026, noting the use of generic accounts for persistence and configuration exfiltration, though Fortinet says a fix is in progress and an advisory will be issued.
Fortinet stresses that FortiCloud SSO login is disabled by default and only activates when an administrator registers the device or enables the FortiCloud SSO admin login option, and that a workaround exists in which FortiCloud SSO no longer permits logins from devices running vulnerable versions.