Fortinet FortiCloud SSO mitigation guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Fortinet advised customers to restrict administrative access and disable FortiCloud SSO to reduce abuse of an actively exploited authentication bypass affecting devices running vulnerable firmware. The guidance was issued while patches were still being developed for FortiOS, FortiManager, and FortiAnalyzer. Fortinet later said the server-side change blocks exploitation even when FortiCloud SSO remains enabled on affected devices.
Related Happenings
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Fortinet FortiSandbox multi-CVE exploitation wave
Exploitation Wave
H score49
First: 16.06.2026 12:19
Last: 16.06.2026 12:19
Sources 1
About this happening:
**Fortinet FortiSandbox** is facing an **active exploitation wave** that puts **affected deployments** at risk of **unauthenticated remote code execution** and **privilege escalat...
Fortinet FortiSandbox multi-CVE exploitation wave
Exploitation WaveAbout this happening: **Fortinet FortiSandbox** is facing an **active exploitation wave** that puts **affected deployments** at risk of **unauthenticated remote code execution** and **privilege escalat...
Timeline
-
28.01.2026 01:19 1 articles · 5mo ago
FortiGate compromises via FortiCloud SSO emerge
Exploitation ObservedFortinet customers reported compromised FortiGate firewalls on January 21 after attackers used FortiCloud SSO to create new local administrator accounts on devices running the latest available firmware.
Show sources
- Fortinet blocks exploited FortiCloud SSO zero day until patch is ready — www.bleepingcomputer.com — 28.01.2026 01:19
-
28.01.2026 01:19 1 articles · 5mo ago
Automated admin creation and config theft are confirmed
Victim Impact UpdateOn January 22, Arctic Wolf confirmed the attacks against Fortinet customers, saying the activity appeared automated, with new rogue admin and VPN-enabled accounts created and firewall configurations exfiltrated within seconds.
Show sources
- Fortinet blocks exploited FortiCloud SSO zero day until patch is ready — www.bleepingcomputer.com — 28.01.2026 01:19
-
28.01.2026 01:19 1 articles · 5mo ago
Alternate FortiCloud SSO authentication path is confirmed
Technical Analysis UpdateOn January 23, Fortinet said attackers were exploiting an alternate authentication path that remained available on fully patched systems and warned that the issue also applied to other SAML-based SSO implementations.
Show sources
- Fortinet blocks exploited FortiCloud SSO zero day until patch is ready — www.bleepingcomputer.com — 28.01.2026 01:19
-
28.01.2026 01:19 2 articles · 5mo ago
Fortinet globally blocks FortiCloud SSO abuse
Mitigation Patch UpdateOn January 26, Fortinet disabled FortiCloud SSO globally on the FortiCloud side to prevent further abuse while patches were still being developed for FortiOS, FortiManager, and FortiAnalyzer.
Show sources
- Fortinet blocks exploited FortiCloud SSO zero day until patch is ready — www.bleepingcomputer.com — 28.01.2026 01:19
- Fortinet blocks exploited FortiCloud SSO zero day until patch is ready — www.bleepingcomputer.com — 28.01.2026 01:19
-
28.01.2026 01:19 1 articles · 5mo ago
Fortinet publishes CVE-2026-24858 advisory and restores restricted SSO
Initial DisclosureOn January 27, Fortinet published a formal PSIRT advisory assigning CVE-2026-24858, rating it critical with a CVSS score of 9.4, and restored FortiCloud SSO with a restriction that blocks devices running vulnerable firmware from authenticating via SSO.
Show sources
- Fortinet blocks exploited FortiCloud SSO zero day until patch is ready — www.bleepingcomputer.com — 28.01.2026 01:19