Fortinet recently confirmed that its FortiGate devices are affected by a new critical authentication vulnerability that is being actively exploited. The vulnerability, tracked as CVE-2026-24858, allows attackers with a FortiCloud account to log in to devices registered to other account owners due to an authentication bypass flaw in devices using FortiCloud single sign-on (SSO). CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue and gave federal agencies just three days to patch, which requires users to upgrade all devices running FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb to fixed versions. This recent activity follows the exploitation of two other SSO authentication flaws, CVE-2025-59718 and CVE-2025-59719, which were disclosed last month.
What’s Notable and Unique
- There are strong indications that much of the recent exploitation activity was automated, with attackers moving from initial access to account creation within seconds.
- As observed in December 2025, the attackers’ primary target appears to be firewall configuration files, which contain a trove of information that can be leveraged in future operations.
- The threat actors in this campaign favor innocuous, IT-themed email and account names, with malicious login activity originating from cloud-init@mail[.]io and cloud-noc@mail[.]io, while account names such as ‘secadmin’, ‘itadmin’, ‘audit’, and others are created for persistence and subsequent activity.
Analyst Comments
This is an active campaign, and the investigation into these attacks is ongoing. Organizations relying on FortiGate devices should remain extremely vigilant, even after following patching guidance. With threat actors circumventing authentication, it’s crucial to monitor for and alert on anomalous behavior within your environment, such as the unauthorized creation of admin accounts, the creation or modification of access policies, logins outside normal working hours, and anything that deviates from your security baseline.
Sources
- Administrative FortiCloud SSO authentication bypass
- Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass
- Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts
- Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719
Related Resources
![]()
Chrome Extensions Used for Credential-Stealing and ClickFix Attacks
Malicious Chrome extensions enterprise users rely on are being abused to steal sessions, impersonate trusted tools, and provide attackers with initial access through social engineering and browser-level compromise.
Read more![]()
LockBit 5.0: The RaaS That Refuses to Go Away
LockBit 5.0 ransomware marks the group’s attempted resurgence, introducing updated Windows and Linux variants, enhanced anti-analysis features, and a newly launched data leak site with over 100 alleged victims.
Read more![]()
Ransomware Trends & Data Insights: December 2025
Get the latest ransomware trends and data insights from December 2025.
Read more
