BLUF

 A critical improper access control vulnerability in FortiAnalyzer allows unauthorized administrative access via FortiCloud SSO, which has been observed being exploited in the wild by threat actors.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by exploitation of the FortiAnalyzer FortiCloud SSO authentication bypass (CVE-2026-24858):

·       Low-end total cost: $500K – $1.1M

o   (Limited dwell time, rapid detection, no downstream compromise)

·       Typical expected range: $1.1M – $2.5M

o   (Unauthorized admin access confirmed, config exposure, moderate response scope)

·       Upper-bound realistic scenarios: $2.5M – $4.5M

o   (Persistence established, broader trust review, regulatory engagement required)

Key Cost Drivers

·       Duration of unauthorized administrative access before detection

·       Scope of configuration and credential exposure from FortiAnalyzer

·       Degree of reliance on FortiAnalyzer for enterprise-wide security operations

·       Regulatory environment and notification thresholds

·       Cyber insurance deductibles, exclusions, and post-incident adjustments

Potential Affected Sectors

·       Critical Infrastructure

·       Corporate Enterprise

·       Managed Service Providers (MSPs)

·       Government entities using Fortinet FortiAnalyzer.

Potential Impacted Countries

·       Global

Date of First Reported Activity

·       On/before January 22, 2026.

Date of Last Reported Activity Update

·       January 27, 2026 (Fortinet re-enabled SSO after mitigation measures).

Tools Used in Campaign

·       Custom malicious FortiCloud accounts

·       Likely automated enumeration scripts.

TTPs

·       T1190 Exploit Public-Facing Application

o   Attackers exploit improper access control or improper verification of cryptographic signatures within the SAML SSO implementation to bypass authentication. This allows unauthenticated remote access to the administration interface.

·       T1133 External Remote Services

o   Attackers leverage the authentication bypass to gain unauthorized access to the FortiCloud SSO, which acts as an external entry point. The attacks have been observed to affect even fully patched devices, suggesting a new attack path or zero-day.

·       T1078 Valid Accounts

o   The attackers create new, unauthorized administrative accounts or hijack existing, legitimately registered accounts via the SSO breach, often under the guise of an "Admin login successful" event, creating persistence.

·       T1098 Account Manipulation

o   The attacker modifies configurations to enable VPN access for newly created or unauthorized accounts, ensuring persistent, remote, and authenticated access to the network.

·       T1005 Data from Local System

o   Following the authorization bypass, attackers frequently exfiltrate sensitive configuration files from the affected devices.

·       T1537 Transfer Data to Cloud Account

o   While often involving local exfiltration, the nature of the attack (targeting FortiCloud SSO) suggests exfiltration of configuration data to adversary-controlled cloud environments.

IOCs

Malicious IP Addresses

·       104.28.244.115

·       104.28.212.114

·       217.119.139.50

·       37.1.209.19

Unauthorized Accounts & Activity

Abused Email

·       cloud-init@mail.io (used for malicious SSO logins).

Secondary Accounts

Threat actors often create generic persistence accounts such as:

·       secadmin

·       itadmin

·       support

·       backup

·       remoteadmin

·       audit

Log Entries

·       Audit logs may show "Admin login successful" via the SSO method originating from the suspicious IPs listed above.

Actions Taken

·       Attackers have been observed exfiltrating firewall configuration files and making unauthorized VPN configuration changes within seconds of login.

CVSS Vectors 3.1

·       (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·       There is no plugin for CVE-2026-24858 at this time

Is this on the KEV list

·       Yes

What is the CISA patch by date?

·       January 30, 2026

Patch Release Date

·       January 27, 2026

Mitigation

·       Disable FortiCloud SSO

o   If a permanent fix is unavailable, disable the feature via the CLI:

o   config system global

o   set admin-forticloud-sso-login disable

o   end

·       Restrict Access

o   Implement local-in policies to allow management access only from trusted IP ranges.

·       Audit Logs: Immediately review logs for login entries from the following known malicious Ips

o   104.28.244.115

o   104.28.212.114

o   217.119.139.50

o   37.1.209.19.

URL link to patch information

·       hxxps://www.fortiguard.com/psirt/FG-IR-26-060

Malware Names

·       There is no malware associated with CVE-2026-24858

Malware Family

·       Not applicable at this time

sha256

·       Not applicable at this time

Known Decoding Key

·       Not applicable at this time

Verdict

·       High Criticality

·       Requires Immediate Mitigation.

Primary Objectives

·       Initial access

·       Lateral movement

·       Data exfiltration from security appliances.

Threat Actor Context

·       Two malicious FortiCloud accounts were identified and locked out; indicates targeted, sophisticated actor.

Behavior Analysis

·       Attackers used specialized, unauthorized FortiCloud accounts to bypass authentication mechanisms, allowing them to impersonate administrators.

Suggested Rules / Potential Hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

·       Monitor for unauthenticated SAML login attempts to administration ports (default 443)

alert http $EXTERNAL_NET any -> $HOME_NET [443,10443] (msg:"ET EXPLOIT Fortinet FortiCloud SSO Auth Bypass Attempt (CVE-2026-24858/CVE-2025-59718)"; flow:established,to_server; content:"POST"; http_method; content:"/remote/saml/login"; http_uri; content:"SAMLResponse="; http_client_body; reference:url, fortiguard.com/psirt/FG-IR-25-647; classtype:attempted-admin; sid:2026001; rev:1;)

SentinelOne

·       Hunt for unauthorized account creation:

EventType = "User Created" AND (UserName IN ("secadmin", "itadmin", "support", "backup", "remoteadmin", "audit") OR UserEmail = "cloud-init@mail.io")

Hunt for SSO successful logins from unexpected IPs:

ActivityType = "Login Successful" AND LoginMethod = "SSO" AND src_ip NOT IN (Your_Internal_Subnets)

Splunk

·       Detect successful SSO logins against the admin account

index=fortinet sourcetype="fnt_fortianalyzer" action="login" status="success" method="sso" user="admin"

| table _time, src_ip, user, msg

·       Detect configuration exfiltration (GUI-based config export):

index=fortinet sourcetype="fnt_fortianalyzer" msg="*Configuration*exported*"

| stats count by src_ip, user, _time

Use code with caution.

Delivery Methods

·       Exploitation of exposed FortiAnalyzer web management interfaces via FortiCloud SSO misconfigurations.

Reference

Fortiguard

·       hxxps://www.fortiguard.com/psirt/FG-IR-26-060

NVD

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2026-24858

CISA KEV Catalog

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858