Fortinet unearths another critical bug as SSO accounts borked post-patch
Things aren't over yet for Fortinet customers – the security shop has disclosed yet another critical FortiCloud SSO vulnerability.
Those hoping for a reprieve following last week's patch pantomime are out of luck. After users reported successful compromises of FortiCloud SSO accounts, despite being patched against an earlier flaw, the vendor confirmed there was an alternate attack path.
According to a security advisory published Tuesday, that alternate path was assigned a separate vulnerability identifier (CVE-2026-24858, CVSS 9.4), and the company disabled FortiCloud SSO connections made from vulnerable versions. Patches are not yet ready.
Fortinet confirmed that CVE-2026-24858, an authentication bypass bug, was exploited in the wild by two malicious FortiCloud accounts, but these were blocked as of January 22.
Customers of FortiAnalyzer, FortiManager, FortiOS, and FortiProxy are all affected and should upgrade to the version recommended in the advisory to restore FortiCloud SSO services. Some versions have safe releases available already, although patches are still in the works for most.
FortiWeb and FortiSwitch Manager are still being investigated for their exposure to the security flaws.
The original attacks were first spotted by Arctic Wolf around January 15, and seemed to involve two bugs Fortinet patched in December, CVE-2025-59718 and CVE-2025-59719.
The vulnerabilities in question allowed attackers to bypass SSO checks using specially crafted SAML responses, and the observed attacks appeared to be using CVE-2025-59718 to compromise firewalls.
Fortinet confirmed on January 22 that the attacks were indeed bypassing that December patch, exploiting FortiCloud SSO, but doing so through alternate means. The patch was effective against one attack path, but not via this separate one.
Carl Windsor, CISO at Fortinet, warned at the time that although the attacks of which the company was aware only targeted FortiCloud SSO, all SAML-based SSO implementations were vulnerable.
The latest advisory states that the authentication bypass flaw can be exploited by an attacker, provided certain conditions are met.
"An authentication bypass using an alternate path or channel vulnerability in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices."
"Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration." ®
