overview
Fortinet has released guidance addressing CVE-2026-24858, a critical authentication bypass vulnerability affecting its FortiOS, FortiManager, and FortiAnalyzer products. With a CVSS score of 9.4, this vulnerability allows attackers to circumvent FortiCloud single sign-on (SSO) authentication and gain unauthorized access to devices registered to other accounts. The flaw has been actively exploited in the wild since mid-January 2026, marking the latest in a series of authentication-related vulnerabilities affecting Fortinet's security infrastructure.
The vulnerability was discovered through active exploitation by threat actors operating malicious FortiCloud accounts. Fortinet blocked two such accounts on January 22, 2026, after detecting unauthorized access attempts. The company subsequently disabled FortiCloud SSO on January 26 and re-enabled it on January 27 with controls implemented to prevent logins from vulnerable software versions.
Arctic Wolf researchers identified a new attack cluster targeting FortiGate devices beginning January 15, 2026, which bore similarities to previous December 2025 campaigns exploiting CVE-2025-59718 and CVE-2025-59719. By January 20, multiple Fortinet customers reported attackers had gained access to their FortiGate firewalls despite systems running the most recent updates at that time.
CVE-2026-24858 is classified as an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288). The flaw enables attackers with a FortiCloud account and a registered device to log into other devices registered to different accounts when FortiCloud SSO authentication is enabled.
The critical distinction of this vulnerability is that it represents a new attack path distinct from the December 2025 flaws. Fortinet confirmed that devices fully patched for CVE-2025-59718 and CVE-2025-59719 remained vulnerable to CVE-2026-24858, indicating a separate authentication bypass mechanism. The company noted that while FortiCloud SSO exploitation has been observed, the underlying issue applies to all SAML SSO implementations.
Once attackers gain access through the SSO bypass, they execute a highly automated attack sequence:
These actions occur within seconds of initial compromise, suggesting orchestrated, automated tooling. Exported configurations include hashed credentials that threat actors can attempt to crack offline, multiplying the risk of further compromise.
|
Product |
Affected Versions |
Status |
|
FortiOS |
Multiple versions (investigation ongoing) |
Actively exploited |
|
FortiManager |
Multiple versions (investigation ongoing) |
Actively exploited |
|
FortiAnalyzer |
7.6.0 through 7.6.5 (and potentially others) |
Confirmed vulnerable |
|
FortiProxy |
Potentially affected |
Under investigation |
|
FortiWeb |
Under investigation |
Unknown |
|
FortiSwitch Manager |
Under investigation |
Unknown |
Fortinet is continuing to investigate whether additional products including FortiWeb and FortiSwitch Manager are impacted.
Fortinet has implemented the following protective measures:
Immediate Actions: FortiCloud SSO now blocks vulnerable device versions from logging in, forcing customers to upgrade to supported releases. The service was disabled temporarily and re-enabled with authentication checks in place.
Recommended Workarounds: Administrators can manually disable FortiCloud SSO on FortiOS, FortiProxy, FortiManager, and FortiAnalyzer via the GUI or CLI as a precautionary measure until systems are fully patched. However, Fortinet states this is not strictly required since the service now prevents vulnerable versions from accessing it.
Patch Requirements: Organizations must upgrade to patched versions of affected products to restore full FortiCloud SSO functionality.
This vulnerability exists within a broader pattern of authentication bypass issues in Fortinet's SSO infrastructure. In December 2025, Fortinet disclosed two critical related flaws - CVE-2025-59718 and CVE-2025-59719 - involving improper verification of cryptographic signatures in SAML implementations. Threat actors began exploiting these vulnerabilities within three days of patch release.
The December attacks specifically targeted admin accounts from multiple hosting providers, particularly [email protected] accounts, and resulted in configuration exfiltration. Arctic Wolf's observations of similar attack patterns in January suggest either a continuation of December campaigns or threat actors adapting to exploit the newly discovered CVE-2026-24858.
FortiCloud SSO is disabled by default and only activates when administrators register devices to FortiCare via the GUI or explicitly enable the option, which may have limited initial exposure but leaves enabled installations at significant risk.
|
Attribute |
Details |
|
CVE Identifier |
CVE-2026-24858 |
|
CVSS Score |
9.4 (Critical) |
|
Vulnerability Type |
Authentication Bypass (CWE-288) |
|
Attack Vector |
Network-based, requires FortiCloud account and registered device |
|
First Exploitation |
Mid-January 2026 |
|
Confirmed Exploited Accounts |
2 malicious FortiCloud accounts (blocked January 22) |
|
Primary Attack Target |
Admin accounts and firewall configurations |
|
CISA KEV Status |
Listed |
The emergence of CVE-2026-24858 continues a concerning trend for Fortinet customers. The December 2025 vulnerabilities (CVE-2025-59718 and CVE-2025-59719) demonstrated that threat actors could rapidly weaponize Fortinet authentication flaws, and this pattern has repeated within weeks. Security researchers from watchTowr note active probing for devices with FortiCloud SSO enabled, indicating broader reconnaissance efforts beyond confirmed exploitation.
The timing and sophistication of these attacks - occurring across multiple authentication bypass vectors within a two-month period - suggest either a coordinated threat actor campaign or multiple groups targeting the same infrastructure weaknesses.
SUPPORTING DOCUMENTATION
Security Affairs, Fortinet patches actively exploited FortiOS SSO auth bypass (CVE-2026-24858) - https://securityaffairs.com/187426/security/fortinet-patches-actively-exploited-fortios-sso-auth-bypass-cve-2026-24858.html
The Hacker News, Fortinet Patches CVE-2026-24858 After Active FortiOS SSO - https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html
CyberScoop, Fortinet's latest zero-day vulnerability carries frustrating familiarities - https://cyberscoop.com/ortinet-zero-day-cve-2026-24858-forticloud-sso-auth-bypass/
SOCPrime, CVE-2026-24858: FortiOS SSO Zero-Day Exploited in the Wild - https://socprime.com/blog/cve-2026-24858-vulnerability/
Fortinet PSIRT, FortiCloud SSO authentication bypass - https://fortiguard.fortinet.com/psirt/FG-IR-26-060
National Vulnerability Database, CVE-2026-24858 Detail - https://nvd.nist.gov/vuln/detail/CVE-2026-24858
Arctic Wolf, CVE-2026-24858 - https://arcticwolf.com/resources/blog/cve-2026-24858/
SecurityWeek, Fortinet Patches Exploited FortiCloud SSO Authentication Bypass - https://www.securityweek.com/fortinet-patches-exploited-forticloud-sso-authentication-bypass/