Fortinet on Tuesday rolled out emergency patches for a FortiCloud SSO login authentication bypass that has been exploited in the wild as a zero-day.
The exploitation came to light last week, after Arctic Wolf observed automated attacks targeting FortiGate firewalls to create new administrator accounts and exfiltrate configuration files.
Fortinet soon confirmed the attacks, saying it was investigating the exploitation of devices fully patched against CVE-2025-59718 and CVE-2025-59719, two critical-severity FortiCloud SSO login bugs patched in early December.
On Tuesday, Fortinet rolled out fresh patches for FortiOS, FortiManager, and FortiAnalyzer, revealing that hackers had been exploiting a new but related FortiCloud SSO flaw, now tracked as CVE-2026-24858 (CVSS score of 9.4).
Described as an authentication bypass using an alternate path or channel issue, CVE-2026-24858 can be exploited against devices that have FortiCloud SSO enabled, just as the previous two security defects could.
The feature is disabled by default, but it is enabled when registering a new device through the device’s GUI, unless the administrator specifically disables it.
CVE-2026-24858, Fortinet says, allows “an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts”.
The company notes that it blocked the malicious FortiCloud accounts used in the zero-day attacks observed earlier this month, and that it briefly disabled FortiCloud SSO on the FortiCloud side between January 26 and 27.
Now, FortiCloud SSO no longer supports login from devices running vulnerable versions, meaning that users need to apply the newly released patches to benefit from FortiCloud SSO authentication.
The fixes were included in FortiAnalyzer version 7.4.10, FortiManager version 7.4.10, and FortiOS version 7.4.11.
Fortinet says the patches will also be included in FortiAnalyzer versions 7.6.6, 7.2.12, and 7.0.16, FortiManager versions 7.6.6, 7.2.13, and 7.0.16, FortiOS versions 7.6.6, 7.2.13, and 7.0.19, and FortiProxy versions 7.6.6 and 7.4.13.
Also on Tuesday, the US cybersecurity agency CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by January 30.
Related: Organizations Warned of Exploited Linux Vulnerabilities
Related: Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks
Related: 2024 VMware Flaw Now in Attackers’ Crosshairs
Related: Organizations Warned of Exploited Zimbra Collaboration Vulnerability
