Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fortinet FortiCloud SSO mitigation guidance

Advisory/Mitigation
First reported
Last updated
Happening score
H score 51
1 unique sources, 1 articles

Summary

Hide ▲

Fortinet advised customers to restrict administrative access and disable FortiCloud SSO to reduce abuse of an actively exploited authentication bypass affecting devices running vulnerable firmware. The guidance was issued while patches were still being developed for FortiOS, FortiManager, and FortiAnalyzer. Fortinet later said the server-side change blocks exploitation even when FortiCloud SSO remains enabled on affected devices.

Related Happenings

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

Fortinet FortiSandbox multi-CVE exploitation wave

Exploitation Wave
H score49 First: 16.06.2026 12:19 Last: 16.06.2026 12:19 Sources 1

About this happening: **Fortinet FortiSandbox** is facing an **active exploitation wave** that puts **affected deployments** at risk of **unauthenticated remote code execution** and **privilege escalat...

Timeline

  1. 28.01.2026 01:19 1 articles · 5mo ago

    FortiGate compromises via FortiCloud SSO emerge

    Exploitation Observed

    Fortinet customers reported compromised FortiGate firewalls on January 21 after attackers used FortiCloud SSO to create new local administrator accounts on devices running the latest available firmware.

    Show sources
  2. 28.01.2026 01:19 1 articles · 5mo ago

    Automated admin creation and config theft are confirmed

    Victim Impact Update

    On January 22, Arctic Wolf confirmed the attacks against Fortinet customers, saying the activity appeared automated, with new rogue admin and VPN-enabled accounts created and firewall configurations exfiltrated within seconds.

    Show sources
  3. 28.01.2026 01:19 1 articles · 5mo ago

    Alternate FortiCloud SSO authentication path is confirmed

    Technical Analysis Update

    On January 23, Fortinet said attackers were exploiting an alternate authentication path that remained available on fully patched systems and warned that the issue also applied to other SAML-based SSO implementations.

    Show sources
  4. 28.01.2026 01:19 2 articles · 5mo ago

    Fortinet globally blocks FortiCloud SSO abuse

    Mitigation Patch Update

    On January 26, Fortinet disabled FortiCloud SSO globally on the FortiCloud side to prevent further abuse while patches were still being developed for FortiOS, FortiManager, and FortiAnalyzer.

    Show sources
  5. 28.01.2026 01:19 1 articles · 5mo ago

    Fortinet publishes CVE-2026-24858 advisory and restores restricted SSO

    Initial Disclosure

    On January 27, Fortinet published a formal PSIRT advisory assigning CVE-2026-24858, rating it critical with a CVSS score of 9.4, and restored FortiCloud SSO with a restriction that blocks devices running vulnerable firmware from authenticating via SSO.

    Show sources