This rule detects the creation of an administrator account on a FortiGate device originating from an atypical source IP address, which has not previously engaged in administrative operations. The rule targets potential exploitation of the CVE-2026-24858 vulnerability (identified as FG-IR-26-060), allowing threat actors to authenticate via FortiCloud Single Sign-On (SSO) bypass. Typically, these attackers proceed to establish local administrator accounts for persistence, leveraging infrastructure not linked to normal administrative functions. Administrators are encouraged to investigate the source IP against known management sources, check for discrepancies in account activity, and respond swiftly to any unauthorized actions. Immediate actions include deleting unauthorized accounts, blocking malicious IPs, and restoring the system from a secure backup while ensuring that all credentials are rotated and the system is updated to the latest security patches.