Skip to main content
close search
site logo

CISA, security researchers warn FortiCloud SSO flaw is under attack

The exploitation activity comes weeks after a similar authentication bypass vulnerability was found.

Published Jan. 29, 2026
David Jones's headshot
Reporter
Hooded hacker sits in front of computer screens.
Getty Images

Federal authorities and security researchers are warning about a critical vulnerability in Fortinet FortiCloud single sign-on, which is currently under exploitation. 

The flaw, tracked as CVE-2026-24858, allows an attacker with a registered device and a FortiCloud account to access devices registered to other accounts. FortiCloud SSO authentication needs to be enabled in those other devices in order for the attack to work. 

The Cybersecurity and Infrastructure Security Agency on Wednesday warned that Fortinet has confirmed several forms of malicious activity, including hackers changing firewall configurations on FortiGate devices, creating false unauthorized accounts and making changes on VPN accounts in order to get access to new accounts.

CISA said users who previously patched prior SSO bypass flaws in December, tracked as CVE-2025-59718 and CVE-2025-59719, were not protected from this vulnerability and needed to upgrade. CISA added the new flaw to its Known Exploited Vulnerabilities catalog. 

Shadowserver reported about 10,000 vulnerable instances. 

Fortinet released guidance on Tuesday for users to upgrade to a secure version. The flaw impacts users of multiple products.

Fortinet on Monday disabled FortiCloud SSO in order to prevent abuse and restored access on Tuesday, according to a blog post. The company noted that access for vulnerable devices will no longer be supported.

Researchers at Arctic Wolf began seeing a pattern of automated configuration changes to firewalls on Jan. 15. Hackers were creating generic accounts in order to gain persistence, making changes to allow VPN access to the accounts. This led to additional configuration changes and data exfiltration. 

“Despite differing underlying technical flaws, there are still similarities between the December and January campaigns,” Arctic Wolf researchers told Cybersecurity Dive in an emailed statement. “In both cases, we observed successful authentication via Fortinet SSO followed by near-immediate download of firewall configuration files, often within seconds, suggesting automated or scripted behavior.”

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
AU10TIX Collaborates with Microsoft to Reduce Fake Account Openings by 90% Using OneVet and Ve…
From AU10TIX
January 29, 2026
AU10TIX logo
DNS4EU Brings Sovereign, Protective DNS to Google Chrome Users Across Europe
From Whalebone
January 28, 2026
Whalebone logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2026 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.