Fortinet has released emergency security updates after confirming active exploitation of a serious vulnerability in its FortiOS Single Sign-On system. The flaw, tracked as CVE-2026-24858, allows attackers to bypass authentication controls. Security researchers found that the issue was already being abused in real-world attacks. This made immediate patching critical.

Fortinet logo representing the company releasing emergency security patches for an actively exploited FortiOS SSO vulnerability.

The vulnerability affects how Fortinet devices authenticate users through FortiCloud SSO. Under certain conditions, an attacker with a valid FortiCloud account and a registered device could gain unauthorized access. This access could extend to other customers’ Fortinet systems. As a result, attackers could reach devices they should not control.

Investigations showed that attackers used this flaw to log into affected systems and create new local administrator accounts. Once admin access was gained, attackers had full control over the device. This included changing firewall rules, viewing network traffic, and exporting sensitive configurations. Such access poses a serious risk to enterprise networks.

Diagram comparing conventional login methods with Single Sign-On (SSO), showing how a single authentication grants access to multiple cloud services, relevant to FortiOS SSO security risks.

One alarming detail was that some compromised systems were fully updated at the time of the attacks. This indicated that the issue was not caused by outdated firmware. Instead, the weakness existed in the FortiCloud SSO authentication logic itself. This discovery prompted Fortinet to treat the issue as a high-priority security incident.

Fortinet responded by releasing patched versions of FortiOS and other affected products. The company also took steps to reduce exposure by restricting certain FortiCloud SSO behaviors during the response period. Customers were advised to update their devices immediately. These actions were taken to prevent further unauthorized access.

Digital access control interface illustrating an authentication bypass flaw in FortiOS Single Sign-On systems.

The vulnerability carries a high severity rating, with a CVSS score of approximately 9.4. Due to confirmed exploitation, the issue was classified as a known exploited vulnerability. This classification signals that attackers are actively using the flaw. Organizations are therefore urged to treat the patching process as urgent.

Fortinet clarified that FortiCloud SSO is not enabled by default. However, devices registered to FortiCare may have the feature active depending on configuration choices. Organizations that enabled SSO without strict access controls may have been exposed. Administrators are now encouraged to review their authentication settings carefully.

Cybersecurity protection concept showing the importance of securing authentication systems after a Fortinet SSO vulnerability.

Security experts recommend applying the latest patches and reviewing logs for unusual activity. Any unknown administrator accounts should be treated as signs of compromise. Credentials should be rotated and configurations reviewed if suspicious access is found. The incident highlights the risks of cloud-based authentication if not properly secured.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news