Follow 
The year 2026 has started with an avalanche of zero-day vulnerabilities, causing a menace for cyber defenders. Right after Microsoft Office zero-day (CVE-2026-21509) and a critical flaw in Cisco products (CVE-2026-20045) that were repeatedly exploited for in-the-wild attacks, Fortinet has disclosed another serious issue, immediately drawing the attention of threat actors.
Identified as CVE‑2026‑24858, the FortiCloud SSO flaw enables attackers who have a FortiCloud account and a registered device to circumvent authentication and gain access to other devices associated with different accounts whenever SSO is activated.
Overall, the 2025 Verizon Data Breach Investigations Report (DBIR) highlights a 34% surge in vulnerability exploitation, accounting for 20% of all breaches last year. Notably, the median time for vulnerabilities to be mass-exploited is shrinking, making zero-days a new normal as large-scale exploitation frequently breaks out before the official CVE publication date.
Join the SOC Prime Platform, the world’s largest hub of Detection Intelligence, providing a complete pipeline from threat detection to simulation to enhance your SOC operations and proactively defend against APTs, exploitation campaigns, and advanced cyber threats. Click Explore Detections to access a curated, context-rich collection of detection rules addressing vulnerability exploitation, filtered by the relevant CVE tags.
All rules are mapped to the latest MITRE ATT&CK® framework v18.1 and are compatible with multiple SIEM, EDR, and Data Lake platforms. Additionally, each rule is enriched with broad metadata, including CTI references, attack flows, audit configurations, and more.
Cyber defenders can also use Uncoder AI to empower their detection engineering workflows. Turn raw threat reports into actionable behavior rules, test your detection logic, map out attack flows, turn IOCs into hunting queries, or instantly translate detection code across languages backed by the power of AI and deep cybersecurity expertise behind every step.
CVE-2026-24858 Analysis
In late January 2026, Fortinet disclosed CVE‑2026‑24858, a critical flaw in FortiOS, FortiManager, and FortiAnalyzer that allows attackers to bypass FortiCloud single sign-on (SSO) and access devices linked to other accounts. The vulnerability leverages an alternate path or channel, creating a risk for any system where SSO is active.
FortiCloud SSO is not automatically enabled on new devices, but it can be turned on when administrators register hardware to FortiCare via the GUI. Unless the registration toggle for “Allow administrative login using FortiCloud SSO” is manually disabled, SSO becomes active, which may expose devices to exploitation.
The vulnerability was actively targeted in the wild by at least two malicious FortiCloud accounts, which were blocked on January 22, 2026. To reduce risk, Fortinet temporarily suspended FortiCloud SSO on January 26 and restored it the next day only on devices that had been patched. Users are strongly advised to update their firmware to the latest version to safely continue using SSO authentication. FortiWeb and FortiSwitch Manager are also being evaluated for related security concerns.
This disclosure follows a series of attacks in which unknown threat actors abused a “new attack path” to bypass FortiCloud SSO authentication without credentials. On January 20, 2026, multiple Fortinet clients reported that attackers had gained access to their FortiGate firewalls and created new local admin accounts despite the systems running the most recent FortiOS updates. These devices had already patched CVE‑2025‑59718 and CVE‑2025‑59719, previous vulnerabilities that allowed SSO bypass through specially crafted SAML messages on internet-exposed devices. Fortinet confirmed that these recent breaches were caused by the newly discovered CVE‑2026‑24858, underlining the ongoing risk of authentication bypass in FortiCloud SSO-enabled devices.
Due to its critical nature, CVE‑2026‑24858 has been assigned a CVSS score of 9.4 and included in CISA’s Known Exploited Vulnerabilities catalog, with remediation required for all Federal Civilian Executive Branch (FCEB) agencies by January 30, 2026.
Fortinet strongly recommends that all affected users immediately update their FortiOS, FortiManager, and FortiAnalyzer devices to the latest patched versions and follow the mitigation steps described in the advisory. Additionally, SOC teams can strengthen their defenses by leveraging SOC Prime’s AI-Native Detection Intelligence Platform, which provides access to the largest and most up-to-date repository of detection content. The platform enables teams to integrate a full pipeline from detection to simulation, orchestrate workflows using natural language, and navigate the constantly evolving threat landscape while enhancing security at scale.
