Fortinet in the Crosshairs: Hackers Exploit Fresh SSO Flaw, Thousands at Risk
Subtitle: A critical FortiCloud vulnerability is being weaponized, prompting urgent warnings and a scramble to secure thousands of exposed systems.
In the relentless chess match of cyber defense, a new piece just fell. Federal authorities and security researchers are sounding the alarm after discovering that a critical flaw in Fortinet’s FortiCloud single sign-on (SSO) service is actively being exploited, putting thousands of organizations directly in hackers’ sights.
The flaw, designated CVE-2026-24858, is as dangerous as it is insidious. It allows any attacker with a registered device and a FortiCloud account to slip into other organizations’ environments-provided those victims have enabled SSO on their devices. Once inside, hackers have been observed changing firewall configurations, creating unauthorized accounts, and manipulating VPN access to burrow deeper into networks.
What makes this vulnerability particularly alarming is its reach and speed. Shadowserver, a nonprofit threat intelligence group, has flagged approximately 10,000 vulnerable systems worldwide. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) quickly added the flaw to its “Known Exploited Vulnerabilities” list, a stark indication that exploitation is widespread and ongoing.
Past fixes are no defense: Organizations that patched Fortinet’s previous SSO bypass flaws in December (CVE-2025-59718 and CVE-2025-59719) remain exposed unless they upgrade to the latest secure versions. In a rare move, Fortinet temporarily disabled FortiCloud SSO entirely, restoring it only for devices that have been updated. Older, vulnerable devices are now locked out, leaving unpatched users in the dark until they act.
Security researchers at Arctic Wolf say the attacks are highly automated. Since at least January 15, attackers have been using scripts to create generic accounts, immediately download firewall configurations, and alter VPN settings-sometimes within seconds of gaining access. The endgame? Persistent access and rapid data theft.
While the technical underpinnings of this flaw differ from the December vulnerabilities, the attack playbook remains chillingly similar: exploit SSO, grab configurations, and establish a beachhead. For organizations relying on Fortinet’s cloud services, the message is clear: patch now, or risk becoming the next headline.
The FortiCloud SSO crisis serves as a stark reminder that even trusted security infrastructure can become a liability overnight. As attackers grow bolder and more automated, vigilance and rapid response are the only shields against the next breach. In the world of cyber defense, complacency is no longer an option.
WIKICROOK
- Single Sign: Single Sign-On (SSO) lets users access multiple services with one login, simplifying access but increasing risk if credentials are compromised.
- Firewall Configuration: Firewall configuration sets rules and policies on a firewall to manage network access, control traffic, and enhance organizational security.
- VPN (Virtual Private Network): A VPN encrypts your internet connection and hides your IP address, providing extra privacy and security when browsing online or using public Wi-Fi.
- Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
- Data Exfiltration: Data exfiltration is the unauthorized transfer of sensitive data from a victim’s system to an attacker’s control, often for malicious purposes.
