Rob Wright , Senior News Director , Dark Reading January 28, 2026 4 Min Read Source: Postmodern Studio via Alamy Stock Photo Fortinet confirmed that a new zero-day vulnerability under exploitation was the cause of a spate of malicious logins through FortiCloud's single sign-on (SSO) feature. The cybersecurity vendor on Tuesday disclosed CVE-2026-24858, a critical authentication bypass vulnerability with a CVSS score of 9.8 that affects FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. According to Fortinet's advisory , exploitation of the flaw allows an attacker to log in to a device using the FortiCloud SSO authentication feature. In short, a threat actor armed with an active FortiCloud account and a registered Fortinet device could use the vulnerability to log into another user's device as if it were their own, as long as SSO is enabled on the device. On the bright side, Fortinet noted that the FortiCloud SSO login feature is not enabled by default on devices. "However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration," thereby overriding the default, the advisory stated. It's unclear how many Fortinet devices have the SSO feature enabled. Dark Reading contacted Fortinet for comment, but the vendor had not responded at press time. Fortinet Patch Bypass Fears Come True The disclosure of CVE-2026-24858 follows recent reports of malicious SSO logins on Fortinet devices, which echoed similar threat activity last month. In early December, Fortinet disclosed and patched a different vulnerability, tracked as CVE-2025-59718, that attackers use to bypass FortiCloud SSO login authentication. The flaw came under attack later that month, and the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. However, unconfirmed reports emerged from users on Reddit's r/Fortinet community last week that the malicious logins continued, even on devices that had been patched for CVE-2025-59718. In a Jan. 21 report , Arctic Wolf Labs said it observed unidentified threat actors accessing FortiGate firewalls via SSO logins to make configuration changes to the devices. This led to concerns that attackers discovered a bypass for CVE-2025-59718's patch. Last Thursday, Fortinet chief information security officer (CISO) Carl Windsor said in a blog post that the company had observed malicious SSO logins on patched devices, and that Fortinet was investigating a potential "new attack path." The disclosure of CVE-2026-24858, which CISA also added to its KEV catalog on Tuesday, at least partially confirmed those fears. Fortinet has not released the technical details for the new zero-day authentication bypass flaw, so it's unclear what connection if any exists to CVE-2025-59718. However, Windsor's blog post was updated recently to note that Fortinet "confirmed that this issue only impacts FortiCloud SSO and does not impact third-party SAML IdP or FortiAuthenticator implementations." The blog post initially stated that while threat activity had only been observed with FortiCloud SSO logins, "this issue is applicable to all SAML SSO implementations." Regardless of the technical details, CVE-2026-24858 poses major risk to organizations. In a blog post today, threat intelligence vendor SOCRadar noted that attackers can access edge devices and gain administrative privileges. "Because FortiGate and related platforms often sit at the edge of enterprise networks, unauthorized admin access can expose sensitive configurations and create long-term security risks," SOCRadar said. Mitigating Exploitation of CVE-2026-24858 Fortinet's advisory noted that the exploitation of CVE-2026-24858 was traced to two FortiCloud accounts, which were disabled by the vendor Jan. 22. But Fortinet took even more drastic actions on Jan. 26 to stop the malicious logins by temporarily disabling the FortiCloud SSO feature for all accounts and devices. Fortinet re-enabled the feature Jan. 27, but it no longer supports login from devices running versions vulnerable to CVE-2026-24858. "Therefore disabling FortiCloud SSO login on client side is not necessary at the moment," the advisory stated. Fortinet urged customers to upgrade all devices running FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb to fixed versions. According to the advisory, the vendor is investigating whether FortiSwitch Manager is vulnerable to CVE-2026-24858. In an emailed advisory today, Shadowserver Foundation CEO Piotr Kijewski said the organization's scans revealed approximately 10,000 exposed Fortinet instances with FortiCloud SSO enabled. That number is a steep drop from the 25,000 exposed instances Shadowserver observed in mid-December following the exploitation of CVE-2025-59718. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright