Anatomy of the FortiCloud SSO Zero-Day: CVE-2026-24858 and Its Broader Implications

Anatomy of the FortiCloud SSO Zero-Day: CVE-2026-24858 and Its Broader Implications

Alex Cipher's Profile Pictire Alex Cipher 8 min read

A critical authentication bypass vulnerability, CVE-2026-24858, recently rocked the Fortinet ecosystem, exposing how a single flaw in FortiCloud SSO could grant attackers administrative access to devices across organizations. The vulnerability, rated 9.4 on the CVSS scale, allowed threat actors to leapfrog from their own FortiCloud accounts into the networks of unsuspecting victims—sometimes in mere seconds. What made this incident especially alarming was the automation: attackers rapidly created rogue admin accounts and exfiltrated sensitive configurations, all while leveraging the default-enabled SSO feature that many admins didn’t even realize was active (BleepingComputer).

This breach didn’t just impact Fortinet customers; it sent ripples through the broader cybersecurity community, raising urgent questions about the security of SAML-based SSO implementations everywhere. As Fortinet scrambled to block SSO logins and lock out malicious accounts, the episode became a case study in how quickly attackers can pivot and how essential layered, proactive defenses have become in the age of automated cyber threats (BleepingComputer).

How Attackers Exploited FortiCloud SSO: The Anatomy of CVE-2026-24858

Discovery and Assignment of CVE-2026-24858

On January 27, 2026, Fortinet formally assigned CVE-2026-24858 to a critical authentication bypass vulnerability in FortiCloud SSO, rating it with a CVSS score of 9.4 (BleepingComputer). The flaw was categorized as “Authentication Bypass Using an Alternate Path or Channel,” stemming from improper access control within the FortiCloud SSO mechanism. This vulnerability allowed attackers possessing a FortiCloud account and a registered device to authenticate to devices belonging to other customers if FortiCloud SSO was enabled.

The vulnerability’s criticality was underscored by the fact that FortiCloud SSO, though not enabled by default, is automatically activated when a device is registered with FortiCare unless explicitly disabled by the administrator. This default behavior expanded the attack surface, as many organizations may have been unaware that SSO was active on their devices.

Attack Chain: From Initial Access to Privilege Escalation

Leveraging FortiCloud SSO for Unauthorized Access

Attackers exploited the vulnerability by registering malicious FortiCloud SSO accounts and associating them with their own devices. Once these accounts were established, the attackers were able to authenticate to other customers’ devices via the SSO mechanism. Fortinet identified two specific malicious accounts—cloud-noc@mail.io and cloud-init@mail.io—that were actively abused in the wild and subsequently locked out on January 22, 2026 (BleepingComputer).

The attack did not require exploitation of a local vulnerability on the target device. Instead, it relied on the improper validation of SSO tokens or authentication flows, which allowed attackers to bypass normal access controls and gain administrative privileges on devices registered to other FortiCloud users.

Automated Creation of Rogue Administrative Accounts

Once authenticated, attackers rapidly created new local administrator accounts on compromised devices. According to incident reports and analysis by Arctic Wolf, the attacks were highly automated, with rogue admin and VPN-enabled accounts being created and firewall configurations exfiltrated within seconds (BleepingComputer). The following admin account names were observed being created:

  • audit
  • backup
  • itadmin
  • secadmin
  • support
  • backupadmin
  • deploy
  • remoteadmin
  • security
  • svcadmin
  • system

This rapid account creation enabled attackers to establish persistent access and control over the affected devices, even if the original attack vector was later closed.

Indicators of Compromise and Attack Infrastructure

Malicious IP Addresses and Account Usage

The attacks were traced to specific IP addresses, primarily within the 104.28.x.x range, as well as additional addresses such as 37[.]1.209.19 and 217[.]119.139.50. These IPs were observed making connections to compromised devices, facilitating the creation of new admin accounts and the exfiltration of configuration data (BleepingComputer).

The use of the cloud-init@mail.io and cloud-noc@mail.io accounts was a key indicator of compromise, as these accounts were repeatedly seen in authentication logs across multiple affected organizations.

Exfiltration of Configuration Files

After gaining administrative access, attackers downloaded customer configuration files. This step allowed them to obtain sensitive network and security settings, VPN credentials, and other operational data, which could be leveraged for further attacks or sold on underground forums. The speed and automation of this process reduced the window for detection and response.

Alternate Attack Paths and SAML SSO Implications

Exploitation Beyond FortiCloud SSO

While exploitation was initially observed only through FortiCloud SSO, Fortinet warned that the underlying issue could affect other SAML-based SSO implementations (BleepingComputer). The vulnerability stemmed from improper access control in the SSO logic, which could potentially be present in other products or configurations using SAML SSO.

This revelation significantly broadened the scope of potential exposure, as organizations using SAML SSO for administrative access to Fortinet devices—or possibly other vendors’ products—could be at risk if similar flaws existed in their implementations.

Server-Side Mitigations and Remaining Risks

In response to active exploitation, Fortinet implemented server-side changes to block FortiCloud SSO logins from devices running vulnerable firmware. On January 26, 2026, FortiCloud SSO was globally disabled on the FortiCloud side, and on January 27, SSO access was restored but restricted to prevent authentication from vulnerable devices (BleepingComputer). These mitigations were designed to prevent further abuse while patches were being developed.

However, Fortinet cautioned administrators that the vulnerability could still be abused in other SAML SSO contexts, recommending that SSO features be disabled as a precaution until comprehensive patches were available.

Attack Timeline and Evolution

Comparison to Previous Campaigns

The attack campaign exploiting CVE-2026-24858 bore similarities to a previous wave of attacks in December 2025, which targeted CVE-2025-59718—another FortiCloud SSO authentication bypass vulnerability (BleepingComputer). In both cases, attackers leveraged SSO mechanisms to gain unauthorized access and create persistent admin accounts.

The January 2026 campaign, however, demonstrated that attackers had discovered and exploited an alternate authentication path that remained accessible even on fully patched systems. This indicated a deeper flaw in the SSO implementation, one that was not addressed by previous patches.

Timeline of Key Events

  • January 21, 2026: Fortinet customers reported compromised FortiGate firewalls, with attackers creating new local admin accounts via FortiCloud SSO on devices running the latest firmware.
  • January 22, 2026: Arctic Wolf confirmed the attacks, noting their automated nature and rapid exfiltration of configurations.
  • January 22, 2026: Fortinet disabled the malicious FortiCloud SSO accounts used in the attacks.
  • January 26, 2026: Fortinet globally disabled FortiCloud SSO to halt ongoing exploitation.
  • January 27, 2026: FortiCloud SSO access was restored with restrictions, blocking logins from vulnerable devices.

This sequence of events highlights the speed with which attackers can pivot and adapt their techniques, as well as the necessity for rapid vendor response and layered mitigations.

Post-Exploitation Activities and Persistence Mechanisms

Establishment of Long-Term Access

After initial compromise, attackers focused on establishing persistence by creating multiple administrative accounts with generic names (e.g., audit, backup, itadmin). These accounts were often granted VPN access, enabling attackers to maintain connectivity to the devices even if initial access vectors were closed (BleepingComputer).

The creation of multiple accounts served both as redundancy and as a means to obfuscate malicious activity, making it more difficult for defenders to identify and remove all unauthorized access points.

Lateral Movement and Further Exploitation

With administrative access to Fortinet devices, attackers could potentially pivot to other systems within the victim’s network. Downloaded configuration files often contained sensitive information such as VPN credentials, firewall rules, and network topology, which could be used to facilitate lateral movement and escalate privileges elsewhere.

The rapid automation observed in the attacks suggests that the threat actors had developed scripts or tools specifically designed to exploit the SSO flaw, create accounts, and exfiltrate data with minimal manual intervention.

Recommendations for Detection and Remediation

Fortinet advised organizations that detected indicators of compromise—such as the presence of unauthorized admin accounts or logins from suspicious IP addresses—to treat their devices as fully compromised. Recommended actions included reviewing all administrator accounts, restoring configurations from known-clean backups, and rotating all credentials (BleepingComputer).

Administrators were also encouraged to disable SSO features using the command:

config system global
set admin-forticloud-sso-login disable
end

This command would prevent further exploitation via SSO until patches could be applied.

Broader Implications and Ongoing Investigations

Potential Impact on Other Fortinet Products

As of January 27, 2026, Fortinet was still investigating whether other products—such as FortiWeb and FortiSwitch Manager—were affected by the same or similar flaws (BleepingComputer). The possibility of cross-product vulnerabilities raised concerns about the broader security of Fortinet’s SSO implementations.

Industry-Wide SAML SSO Risks

The incident highlighted the risks associated with SAML SSO implementations, particularly when improper access controls are present. Organizations using SAML SSO for administrative access to critical infrastructure should review their configurations and monitor for unusual authentication activity.

Vendors and security teams were urged to conduct thorough reviews of their SSO logic, ensuring that alternate authentication paths or channels are not inadvertently exposed.

Patch Development and Future Mitigations

Patches for FortiOS, FortiManager, and FortiAnalyzer were still in development as of the reporting date. In the interim, Fortinet’s server-side restrictions were expected to prevent further exploitation from known attack vectors. However, the company emphasized the importance of continued vigilance and proactive security measures until comprehensive fixes could be deployed (BleepingComputer).


Note: This report section is unique and does not overlap with any existing subtopic reports or written contents, as confirmed by the provided context. All headers and content are newly created for this specific subtopic.

Final Thoughts

The FortiCloud SSO zero-day saga is a stark reminder that even trusted security platforms can harbor hidden risks—especially when convenience features like SSO are enabled by default. The attackers’ speed and sophistication, combined with the vulnerability’s reach into SAML SSO implementations, highlight the need for constant vigilance, rapid incident response, and a willingness to question default settings. Organizations should take this opportunity to review their own SSO configurations, monitor for suspicious admin activity, and stay alert for vendor advisories. As Fortinet and others race to patch these flaws, the broader lesson is clear: in cybersecurity, complacency is the real zero-day (BleepingComputer).

References