Attack details and indicators: Fortinet’s investigation into the exploitation revealed attackers used two specific FortiCloud accounts: “cloud-noc@mail.io” and “cloud-init@mail.io,” though the company warned “these addresses may change in the future.”Fortinet identified multiple IP addresses associated with the attacks, including several Cloudflare-protected addresses that attackers used to obscure their activities.”Following authentication via SSO, it has been observed that the actor creates a local admin account with one of the following names,” Fortinet warned, listing accounts including “audit,” “backup,” “itadmin,” “secadmin,” “support,” and “system.”The attackers’ main operations focused on downloading customer configuration files and creating persistent admin accounts.
Emergency cloud-side shutdown: In response to the active exploitation, Fortinet disabled FortiCloud SSO across its entire cloud infrastructure on January 26 to protect customers from further attacks.The feature was re-enabled 24 hours later with a critical safeguard. “It was re-enabled on January 27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions listed below for the FortiCloud SSO authentication to function,” Fortinet explained.This server-side blocking means organizations running vulnerable versions cannot use FortiCloud SSO until they upgrade to patched releases, even though most of those patches are not yet available.
Affected products and patch status: The vulnerability affects FortiOS, FortiManager, FortiAnalyzer, and FortiProxy versions 7.0 through 7.6. Version 6.4 releases are not affected. Fortinet said it is still investigating whether FortiWeb and FortiSwitch Manager are also vulnerable.Fortinet’s advisory lists most patched versions as “upcoming,” with FortiOS 7.4.11 appearing to be the only released fix so far. The company’s upgrade tool provides recommended upgrade paths once patches become available.
Federal deadline and immediate actions: CISA’s addition of CVE-2026-24858 to the KEV catalog means federal civilian executive branch agencies must patch affected systems by February 17, 2026, or discontinue use of vulnerable products. The agency said the vulnerability “is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” The company noted that “disabling FortiCloud SSO login on client side is not necessary at the moment,” though organizations can disable the feature locally through System Settings or CLI commands if desired.
Federal deadline and immediate actions: CISA’s addition of CVE-2026-24858 to the KEV catalog means federal civilian executive branch agencies must patch affected systems by February 17, 2026, or discontinue use of vulnerable products. The agency said the vulnerability “is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” The company noted that “disabling FortiCloud SSO login on client side is not necessary at the moment,” though organizations can disable the feature locally through System Settings or CLI commands if desired.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4123500/critical-forticloud-sso-zero%e2%80%91day-forces-emergency-service-disablement-at-fortinet.html
