Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fortinet FortiCloud SSO mitigation guidance

Advisory/Mitigation
First reported
Last updated
Happening score
H score 55
1 unique sources, 1 articles

Summary

Hide ▲

Fortinet advised customers to restrict administrative access and disable FortiCloud SSO to reduce abuse of an actively exploited authentication bypass affecting devices running vulnerable firmware. The guidance was issued while patches were still being developed for FortiOS, FortiManager, and FortiAnalyzer. Fortinet later said the server-side change blocks exploitation even when FortiCloud SSO remains enabled on affected devices.

Related Happenings

Fortinet security patch release for CVE-2026-44277

Security Patch Release
First: 12.05.2026 21:23 Last: 12.05.2026 21:23 Sources 1

About this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...

Open Happening

Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)

Security Patch Release
First: 07.04.2026 12:26 Last: 07.04.2026 12:26 Sources 1

About this happening: **Fortinet** released an **emergency hotfix** for **FortiClient Enterprise Management Server (EMS)** after confirming **active exploitation** of **CVE-2026-35616**, a critical fla...

Open Happening

FortiClient EMS improper access control flaw (CVE-2026-35616)

Vulnerability
First: 05.04.2026 21:45 Last: 05.04.2026 21:45 Sources 1

About this happening: **CVE-2026-35616** is being **actively exploited** against **FortiClient Enterprise Management Server (EMS)**, putting exposed **7.4.5 and 7.4.6** deployments at risk of remote co...

Open Happening

Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)

Vulnerability
First: 30.03.2026 10:48 Last: 30.03.2026 10:48 Sources 1

About this happening: Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...

Open Happening

CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation

Security Tool/Service
First: 03.03.2026 02:06 Last: 03.03.2026 02:06 Sources 1

About this happening: **CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...

Open Happening

Timeline

  1. 28.01.2026 01:19 1 articles · 3mo ago

    FortiGate compromises via FortiCloud SSO emerge

    Exploitation Observed

    Fortinet customers reported compromised FortiGate firewalls on January 21 after attackers used FortiCloud SSO to create new local administrator accounts on devices running the latest available firmware.

    Show sources
    Open in new tab
  2. 28.01.2026 01:19 1 articles · 3mo ago

    Automated admin creation and config theft are confirmed

    Victim Impact Update

    On January 22, Arctic Wolf confirmed the attacks against Fortinet customers, saying the activity appeared automated, with new rogue admin and VPN-enabled accounts created and firewall configurations exfiltrated within seconds.

    Show sources
    Open in new tab
  3. 28.01.2026 01:19 1 articles · 3mo ago

    Alternate FortiCloud SSO authentication path is confirmed

    Technical Analysis Update

    On January 23, Fortinet said attackers were exploiting an alternate authentication path that remained available on fully patched systems and warned that the issue also applied to other SAML-based SSO implementations.

    Show sources
    Open in new tab
  4. 28.01.2026 01:19 2 articles · 3mo ago

    Fortinet globally blocks FortiCloud SSO abuse

    Mitigation Patch Update

    On January 26, Fortinet disabled FortiCloud SSO globally on the FortiCloud side to prevent further abuse while patches were still being developed for FortiOS, FortiManager, and FortiAnalyzer.

    Show sources
    Open in new tab
  5. 28.01.2026 01:19 1 articles · 3mo ago

    Fortinet publishes CVE-2026-24858 advisory and restores restricted SSO

    Initial Disclosure

    On January 27, Fortinet published a formal PSIRT advisory assigning CVE-2026-24858, rating it critical with a CVSS score of 9.4, and restored FortiCloud SSO with a restriction that blocks devices running vulnerable firmware from authenticating via SSO.

    Show sources
    Open in new tab