FORTINET has issued emergency patches for a FortiCloud SSO login authentication bypass tracked as CVE-2026-24858, which attackers have exploited in the wild to gain access to devices registered to other FortiCloud accounts. The company noted that the zero-day attacks were observed after FortiGate firewall campaigns aimed at creating new administrator accounts and exfiltrating configuration files, and that the flaw can be exploited on devices with FortiCloud SSO enabled.
Fortinet said the vulnerability is being addressed in updates across FortiAnalyzer (versions 7.4.10, 7.6.6, 7.2.12, 7.0.16), FortiManager (7.4.10, 7.6.6, 7.2.13, 7.0.16), FortiOS (7.4.11, with later inclusion in 7.6.6, 7.2.13, 7.0.19), and FortiProxy (7.6.6 and 7.4.13). The US CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog, urging patching by 30 January. Fortinet also disclosed that FortiCloud SSO was briefly disabled on the FortiCloud side between 26 and 27 January while patches were prepared.