Introduction
Fortinet has started rolling out security updates to remediate a critical authentication bypass vulnerability in FortiOS that is being actively exploited in the wild. The flaw, tracked as CVE-2026-24858, impacts FortiCloud single sign-on functionality and poses a significant risk to organizations relying on Fortinet infrastructure.
Background and Context
The vulnerability carries a CVSS score of 9.4 and affects FortiOS, FortiManager, and FortiAnalyzer. Fortinet is also assessing potential exposure in additional products, including FortiWeb and FortiSwitch Manager.
According to Fortinet, the issue stems from an authentication bypass using an alternate path or channel, allowing attackers with a FortiCloud account and a registered device to access other customers’ devices if FortiCloud SSO is enabled.
Technical Details
CVE-2026-24858 is classified under CWE-288 and enables unauthorized administrative access through FortiCloud SSO. While FortiCloud SSO is disabled by default, it becomes active when administrators register devices to FortiCare through the graphical interface, unless the SSO administrative login option is explicitly disabled.
Exploitation of this flaw allows threat actors to authenticate without valid credentials, creating a high-risk scenario for exposed environments.
Timeline of Events
Fortinet confirmed that unidentified threat actors leveraged a previously unknown attack path to bypass authentication and gain administrative access. Once inside, attackers were observed performing the following actions:
- Creating local administrator accounts to maintain persistence
- Modifying configurations to grant VPN access
- Exfiltrating firewall configuration data
In response, Fortinet implemented several mitigation steps:
- January 22, 2026: Two malicious FortiCloud accounts were locked
- January 26, 2026: FortiCloud SSO was disabled server-side
- January 27, 2026: FortiCloud SSO was re-enabled with restrictions preventing vulnerable versions from authenticating
As a result, FortiCloud SSO functionality now requires customers to upgrade to patched versions.
Impact and Scope
Organizations using FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb with FortiCloud SSO enabled are impacted. The vulnerability does not affect third-party SAML identity providers or FortiAuthenticator integrations, according to Fortinet.
Cybersecurity and Infrastructure Security Agency has added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog, underscoring the severity of the issue. Federal Civilian Executive Branch agencies have been directed to remediate affected systems by January 30, 2026.
Response and Mitigation
Fortinet urges customers who observe indicators of compromise to treat affected devices as breached and take immediate action:
- Upgrade all affected products to the latest firmware versions
- Restore configurations from known clean backups or conduct thorough audits
- Rotate all credentials, including connected LDAP and Active Directory accounts
CISA has also advised organizations to inspect all internet-accessible Fortinet devices for signs of compromise and apply updates without delay.
Outlook
Active exploitation of CVE-2026-24858 highlights the growing risk associated with cloud-linked authentication mechanisms in network security appliances. Organizations are advised to reassess their use of FortiCloud SSO, ensure strict access controls, and maintain timely patch management to reduce exposure to similar attack paths in the future.
