{"id":182718,"date":"2026-01-29T12:17:00","date_gmt":"2026-01-29T17:17:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/29\/cisa-security-researchers-warn-forticloud-sso-flaw-is-under-attack\/"},"modified":"2026-01-29T12:55:11","modified_gmt":"2026-01-29T17:55:11","slug":"cisa-security-researchers-warn-forticloud-sso-flaw-is-under-attack","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/29\/cisa-security-researchers-warn-forticloud-sso-flaw-is-under-attack\/","title":{"rendered":"CISA, security researchers warn FortiCloud SSO flaw is under attack"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-researchers-warn-forticloud-flaw-attack\/810861\/\">CISA, security researchers warn FortiCloud SSO flaw is under attack<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-researchers-warn-forticloud-flaw-attack\/810861\/\">https:\/\/www.cybersecuritydive.com\/news\/cisa-researchers-warn-forticloud-flaw-attack\/810861\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-29 12:17:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>Federal authorities and security researchers are warning about a critical vulnerability in Fortinet FortiCloud single sign-on, which is currently under exploitation.\u00a0<br \/>\nThe flaw, tracked as CVE-2026-24858, allows an attacker with a registered device and a FortiCloud account to access devices registered to other accounts. FortiCloud SSO authentication needs to be enabled in those other devices in order for the attack to work.\u00a0<br \/>\nThe Cybersecurity and Infrastructure Security Agency on Wednesday warned that Fortinet has confirmed several forms of malicious activity, including hackers changing firewall configurations on FortiGate devices, creating false unauthorized accounts and making changes on VPN accounts in order to get access to new accounts.<\/p>\n<p>CISA said users who previously patched prior SSO bypass flaws in December, tracked as CVE-2025-59718 and CVE-2025-59719, were not protected from this vulnerability and needed to upgrade. CISA added the new flaw to its Known Exploited Vulnerabilities catalog.\u00a0<br \/>\nShadowserver reported about 10,000 vulnerable instances.\u00a0<br \/>\nFortinet released guidance on Tuesday for users to upgrade to a secure version. The flaw impacts users of multiple products.<br \/>\nFortinet on Monday disabled FortiCloud SSO in order to prevent abuse\u00a0and restored access on Tuesday, according to a blog post. The company noted that access for vulnerable devices will no longer be supported.<br \/>\nResearchers at Arctic Wolf began seeing a pattern of automated configuration changes to firewalls on Jan. 15. Hackers were creating generic accounts in order to gain persistence, making changes to allow VPN access to the accounts. This led to additional configuration changes and data exfiltration.\u00a0<br \/>\n\u201cDespite differing underlying technical flaws, there are still similarities between the December and January campaigns,\u201d Arctic Wolf researchers told Cybersecurity Dive in an emailed statement. \u201cIn both cases, we observed successful authentication via Fortinet SSO followed by near-immediate download of firewall configuration files, often within seconds, suggesting automated or scripted behavior.\u201d<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA, security researchers warn FortiCloud SSO flaw is under attack https:\/\/www.cybersecuritydive.com\/news\/cisa-researchers-warn-forticloud-flaw-attack\/810861\/ Publish Date: 2026-01-29 12:17:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":182719,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/Y8v7T0qfhU8HQxpSfUSQEP77cTHpKtNRu3vS6uMAskM\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy0xNjMxMDQ3NTUxLmpwZw==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-182718","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182718"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=182718"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182718\/revisions"}],"predecessor-version":[{"id":182720,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182718\/revisions\/182720"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/182719"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=182718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=182718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=182718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}