Fortinet’s FortiCloud Zero-Day Nightmare: Hackers Bypassed Auth on Firewalls – Patch Now!
Fortinet just dropped emergency patches for CVE-2026-24858, a brutal zero-day in FortiCloud SSO that let attackers log into victims’ FortiGate firewalls using rogue accounts. Attackers exploited it in the wild as early as January 20, creating sneaky admin accounts even on supposedly patched devices.
Here’s the gritty details: This auth bypass hits FortiOS (firewalls), FortiAnalyzer (logging), and FortiManager (device management) when FortiCloud SSO is enabled. It followed hot on the heels of CVE-2025-59718, another exploited flaw – attackers used two malicious FortiCloud accounts, locked out by Fortinet on January 22. Patches rolled out starting FortiOS 7.4.11, with more coming for the others. Fortinet killed SSO server-side on January 26, flipped it back on January 27, but only for patched gear. They’ve got IOCs like specific IPs and usernames – hunt those logs yesterday.
For devs and ops folks, this screams cloud-SSO risks: If you’re wiring Fortinet kit into your stack, one misconfig exposes your entire perimeter. Exposed firewalls? You’re a sitting duck for lateral movement into your network. Prioritize: Update firmware ASAP, lock admin access to trusted IPs, ditch internet-facing mgmt interfaces. This isn’t theoretical – real orgs got pwned despite “latest” patches.
Bottom line: Fortinet moved fast, but zero-days like this prove why you audit configs religiously and segment like your job depends on it (it does). Devs, bake in vuln scanning for vendor deps – next breach could be yours.
