Fortinet on Tuesday rolled out emergency patches for a FortiCloud SSO login authentication bypass that has been exploited within the wild as a zero-day.
The exploitation got here to mild final week, after Arctic Wolf noticed automated assaults concentrating on FortiGate firewalls to create new administrator accounts and exfiltrate configuration recordsdata.
Fortinet quickly confirmed the assaults, saying it was investigating the exploitation of gadgets absolutely patched in opposition to CVE-2025-59718 and CVE-2025-59719, two critical-severity FortiCloud SSO login bugs patched in early December.
On Tuesday, Fortinet rolled out recent patches for FortiOS, FortiManager, and FortiAnalyzer, revealing that hackers had been exploiting a brand new however associated FortiCloud SSO flaw, now tracked as CVE-2026-24858 (CVSS rating of 9.4).
Described as an authentication bypass utilizing an alternate path or channel situation, CVE-2026-24858 could be exploited in opposition to gadgets which have FortiCloud SSO enabled, simply because the earlier two safety defects may.
The characteristic is disabled by default, however it’s enabled when registering a brand new system by the system’s GUI, until the administrator particularly disables it.Commercial. Scroll to proceed studying.
CVE-2026-24858, Fortinet says, permits “an attacker with a FortiCloud account and a registered system to log into different gadgets registered to different accounts”.
The corporate notes that it blocked the malicious FortiCloud accounts used within the zero-day assaults noticed earlier this month, and that it briefly disabled FortiCloud SSO on the FortiCloud aspect between January 26 and 27.
Now, FortiCloud SSO not helps login from gadgets working weak variations, which means that customers want to use the newly launched patches to profit from FortiCloud SSO authentication.
The fixes had been included in FortiAnalyzer model 7.4.10, FortiManager model 7.4.10, and FortiOS model 7.4.11.
Fortinet says the patches may even be included in FortiAnalyzer variations 7.6.6, 7.2.12, and seven.0.16, FortiManager variations 7.6.6, 7.2.13, and seven.0.16, FortiOS variations 7.6.6, 7.2.13, and seven.0.19, and FortiProxy variations 7.6.6 and seven.4.13.
Additionally on Tuesday, the US cybersecurity company CISA added CVE-2026-24858 to its Identified Exploited Vulnerabilities (KEV) catalog, urging federal businesses to patch it by January 30.
Associated: Organizations Warned of Exploited Linux Vulnerabilities
Associated: Microsoft Patches Workplace Zero-Day Seemingly Exploited in Focused Assaults
Associated: 2024 VMware Flaw Now in Attackers’ Crosshairs
Associated: Organizations Warned of Exploited Zimbra Collaboration Vulnerability
