CISA added the flaw to its KEVs catalog as Fortinet warned that patches for most affected versions remain “upcoming,” even though vulnerable devices can no longer use cloud SSO until upgraded.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Fortinet disclosed a critical authentication bypass zero-day vulnerability (CVE-2026-24858, CVSS 9.4) affecting FortiCloud SSO that was actively exploited in the wild. The company took emergency action by temporarily disabling FortiCloud SSO globally on January 26, then re-enabled it with server-side blocking that prevents vulnerable devices from authenticating until upgraded. Attackers used two malicious FortiCloud accounts to compromise fully patched FortiGate firewalls, FortiManager, and FortiAnalyzer devices, creating local admin accounts and downloading configuration files. CISA added the flaw to its KEV catalog, requiring federal agencies to patch by February 17, 2026. Most patches remain "upcoming" with only FortiOS 7.4.11 currently released, affecting versions 7.0 through 7.6 of multiple Fortinet products.

Critical FortiCloud SSO zero‑day forces emergency service disablement at Fortinet