Today, we’re joined by Rupert Marais, our in-house security specialist with deep expertise in endpoint security and network management. We’re diving into the recent Fortinet zero-day vulnerability, CVE-2026-24858, a critical issue that sent ripples through the security community. Our conversation will explore the mechanics of this sophisticated authentication bypass, the subtle but significant dangers of “opt-out” security features, and how security teams must adapt when patches fail and attackers persist. We’ll also touch on the tough decisions vendors face during a crisis and how organizations can navigate the fog of war when initial threat reports are unclear, culminating in a look at the future of identity security in our increasingly connected infrastructure.
The new zero-day, CVE-2026-24858, is a critical authentication bypass. Could you explain how an attacker with just a valid FortiCloud account can exploit such a flaw, and what makes SSO vulnerabilities on network edge devices so uniquely dangerous for an organization?
It’s a chillingly simple premise for such a devastating attack. Essentially, an attacker, armed with nothing more than their own active FortiCloud account, could leverage this flaw to sidestep the normal authentication process and log directly into another organization’s device. Imagine having a key to your own apartment that suddenly also works on your neighbor’s door. The vulnerability turns the single sign-on feature into a master key. What makes this so uniquely dangerous is the location of these devices. FortiGate firewalls and similar platforms are the gatekeepers of a network; they sit right at the edge. Gaining administrative access here isn’t just about reading a few files; it’s about controlling the flow of all traffic, exposing highly sensitive configurations, and establishing a persistent foothold to launch further attacks deep inside the network.
The vulnerable SSO feature is not enabled by default but can be activated during device registration if an administrator doesn’t opt out. Please walk us through the security implications of this “opt-out” model and what best practices administrators should follow during device setup to avoid such pitfalls.
This “opt-out” model is a classic example of how convenience can quietly undermine security. The feature isn’t on by default, which is good. However, during the device registration process—a moment when an administrator is often focused on getting things up and running quickly—they are presented with a pre-checked box to “Allow administrative login using FortiCloud SSO.” It’s human nature to move past these prompts. The implication is that a secure setting is overridden by inaction. The best practice here is a principle of deliberate configuration. Never assume defaults are the most secure. During any setup, an administrator must meticulously review every option, especially those related to authentication and remote access. You should always operate from a “least privilege” mindset: if you don’t have a clear and pressing need for a feature, especially one that opens up a new authentication path, leave it disabled.
Malicious logins were reported on devices patched for a similar December vulnerability, which led to the discovery of this new zero-day. When threat activity persists after patching, what does that suggest about an attacker’s methods, and how should security teams pivot their investigation and response?
Seeing the same malicious activity reappear after a patch has been applied is one of the most alarming signals a security team can get. It immediately tells you you’re not dealing with a simple, opportunistic attacker using a known script. This suggests a determined adversary who has either found a way to bypass the original patch or, as was the case here, was holding a second, entirely different zero-day exploit in reserve. For security teams, this is a critical pivot point. The focus must shift from patch management to active threat hunting. You can no longer trust that the vulnerability is closed. Your investigation has to assume a new, unknown attack path is being used, and you must intensify log monitoring, scrutinize all SSO logins for anomalous behavior, and re-examine any configuration changes made on those edge devices.
In response, Fortinet temporarily disabled the entire FortiCloud SSO service for all users. Can you elaborate on the operational trade-offs of such a drastic mitigation strategy and what this action signals about the severity of the threat they were confronting?
Taking the entire global SSO service offline, even for a day, is the digital equivalent of shutting down a major highway. It’s an incredibly disruptive and costly decision, both for Fortinet and its customers who rely on that feature for daily operations. This action speaks volumes about the severity of the threat. It signals that the attack was active, widespread, and that they couldn’t immediately pinpoint or contain it with a more surgical fix. The trade-off is clear: you accept significant, short-term operational pain to prevent potentially catastrophic and widespread security breaches across your entire customer base. It was a last-resort measure that tells us the risk of leaving the service online was deemed unacceptably high.
Initial reports suggested a broad impact on all SAML SSO implementations before being clarified to only affect FortiCloud SSO. In a fast-moving incident, how can security teams effectively manage this uncertainty and make defensive decisions when the full scope of a threat is still evolving?
That initial confusion is what we call the “fog of war” in an incident response. The first reports are often incomplete or even incorrect. For a security team on the ground, the only safe strategy is to assume the worst-case scenario while actively seeking clarification. When the initial alert said “all SAML SSO implementations,” the correct defensive posture was to immediately start scrutinizing all SAML logins, not just those from FortiCloud. You act on the broader threat while simultaneously pushing for verified intelligence from the vendor and trusted sources. It’s a delicate balance of decisive action based on imperfect data. You can always scale back your response once you get better information, but you can’t go back in time to prevent a breach you failed to act on.
Threat scans identified roughly 10,000 exposed instances with FortiCloud SSO enabled, down from 25,000 during a similar event in December. What factors might contribute to this reduction, and does a lower number of exposed devices necessarily mean the overall risk to organizations is proportionally smaller?
The drop from 25,000 to 10,000 exposed devices is encouraging on the surface. This reduction is likely due to a combination of factors. Many administrators probably learned a hard lesson from the December vulnerability and proactively disabled the feature or applied patches that removed their devices from the vulnerable pool. However, it’s a dangerous mistake to assume that a lower number means proportionally lower risk. Risk isn’t just a numbers game. A single one of those 10,000 devices could be the gateway into a major financial institution, a healthcare provider, or a government agency. The impact of a breach at one high-value target could easily outweigh breaches at a hundred smaller ones. The overall risk remains critical as long as even one valuable target is exposed.
What is your forecast for the security of SSO and federated identity systems, especially as they become more integrated into critical network infrastructure?
My forecast is that these systems will become an increasingly high-stakes battleground. As we move more infrastructure to the cloud and rely on federated identity, SSO is no longer just a convenience—it’s the central pillar of our access control. Attackers know this. They are shifting their focus from trying to breach a hundred different password databases to finding a single flaw in the one system that holds the keys to the entire kingdom. We’re going to see more sophisticated attacks targeting SSO implementations, more supply-chain risks through third-party identity providers, and a much greater emphasis from defenders on layered security. Simply having SSO won’t be enough; it will need to be fortified with robust multi-factor authentication, continuous monitoring, and behavioral analytics to detect when a legitimate-looking login is anything but.
