A newly disclosed vulnerability is challenging the security of Fortinet’s popular firewall and management products, exposing customers to unauthorized access through FortiCloud’s single sign-on (SSO) mechanism. This incident, which allowed attackers to use compromised FortiCloud accounts to alter device configurations and access sensitive systems, has heightened concerns among cybersecurity professionals. Organizations across various sectors are now assessing their risk, given the widespread use of FortiAnalyzer, FortiManager, FortiOS, FortiProxy, and FortiWeb. The issue emerges during an ongoing period of vulnerability fatigue among Fortinet customers, as repeated defects continue to place organizations’ security posture under pressure.
While Fortinet has addressed multiple zero-day vulnerabilities in the past, earlier disclosures have typically been followed by prompt patches and more detailed incident explanations. However, with CVE-2026-24858, uncertainty remains regarding whether the issue circumvents previous fixes or introduces a new attack vector. In contrast to the vendor’s previous practices, the delay in delivering patches for this flaw and ambiguity about its connection to December’s similar vulnerabilities have stirred broader unease among customers and industry experts. Recent findings indicate almost 10,000 affected devices remain exposed, especially in the United States, underscoring the persistent challenge companies face in staying secure as attackers probe for unpatched systems.
How Did Attackers Exploit the FortiCloud SSO Flaw?
Attackers gained illicit access by leveraging weaknesses in the FortiCloud SSO flow, allowing them to log into devices registered to accounts other than their own. These exploits, traced to malicious FortiCloud accounts that Fortinet has since blocked, resulted in rogue firewall reconfigurations, creation of new unauthorized users, and changes to VPN settings. Fortinet responded by temporarily disabling the SSO service before restoring it with added restrictions designed to block logins from vulnerable device versions. The company has not confirmed a timeline for the release of comprehensive patches.
What Steps Are Being Taken to Address the Vulnerability?
Fortinet issued a security advisory with recommendations for mitigation, and external researchers such as Arctic Wolf reported a pause in observed exploitation after these actions. The Cybersecurity and Infrastructure Security Agency (CISA) swiftly added the flaw to its catalog of known exploited vulnerabilities and distributed Fortinet’s guidance across government and private networks. Researchers are still working to measure the full impact, but industry partners urge vigilance and adherence to best security practices.
“There are those that know they’re affected, and likely a number that are unaware,”
said Ben Harris of watchTowr, reflecting on the uncertainty surrounding the incident’s scope.
How Are Customers and Industry Experts Reacting?
Frustration has mounted among organizations relying on Fortinet products, many of whom note an increasing frequency of critical vulnerabilities. Joe Toomey, an executive with Coalition, highlighted the recurrence of zero-days in Fortinet solutions and expressed doubts over the vendor’s commitment to effective security.
“All of which makes one begin to wonder if Fortinet is really taking security seriously,”
Toomey stated, echoing sentiments felt within portions of the cybersecurity community. Despite some praise for Fortinet’s clear communication and rapid containment measures, extended wait times for fixes and the high number of advisories continue to shape customers’ perceptions.
Analysis of recent incidents and community feedback reveals a need for ongoing vigilance when deploying network hardware solutions such as those marketed under the Fortinet brand. As attackers increasingly focus on exploiting hardware authentication flows, organizations are encouraged to regularly audit exposed management interfaces, restrict external access, and apply all vendor-suggested mitigations. The consistently high number of Fortinet vulnerabilities reported in global tracking databases highlights the necessity for more robust code review and vulnerability management processes across the industry. For security teams, proactive visibility and layered controls remain essential, especially as attackers adapt to patch cycles and disclosure timelines.
