Federal authorities and security researchers are warning about a critical vulnerability in Fortinet FortiCloud single sign-on, which is currently under exploitation.
The flaw, tracked as CVE-2026-24858, allows an attacker with a registered device and a FortiCloud account to access devices registered to other accounts. FortiCloud SSO authentication needs to be enabled in those other devices in order for the attack to work.
The Cybersecurity and Infrastructure Security Agency on Wednesday warned that Fortinet has confirmed several forms of malicious activity, including hackers changing firewall configurations on FortiGate devices, creating false unauthorized accounts and making changes on VPN accounts in order to get access to new accounts.
CISA said users who previously patched prior SSO bypass flaws in December, tracked as CVE-2025-59718 and CVE-2025-59719, were not protected from this vulnerability and needed to upgrade. CISA added the new flaw to its Known Exploited Vulnerabilities catalog.
Shadowserver reported about 10,000 vulnerable instances.
Fortinet released guidance on Tuesday for users to upgrade to a secure version. The flaw impacts users of multiple products.
Fortinet on Monday disabled FortiCloud SSO in order to prevent abuse and restored access on Tuesday, according to a blog post. The company noted that access for vulnerable devices will no longer be supported.
Researchers at Arctic Wolf began seeing a pattern of automated configuration changes to firewalls on Jan. 15. Hackers were creating generic accounts in order to gain persistence, making changes to allow VPN access to the accounts. This led to additional configuration changes and data exfiltration.
“Despite differing underlying technical flaws, there are still similarities between the December and January campaigns,” Arctic Wolf researchers told Cybersecurity Dive in an emailed statement. “In both cases, we observed successful authentication via Fortinet SSO followed by near-immediate download of firewall configuration files, often within seconds, suggesting automated or scripted behavior.”
