Full Report
Fortinet has begun releasing security updates to address a critical flaw impacting FortiOS that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been described as an authentication bypass related to FortiOS single sign-on (SSO). The flaw also affects FortiManager and FortiAnalyzer. The company said it's
Analysis Summary
# Vulnerability: FortiOS Critical Authentication Bypass via FortiCloud SSO
## CVE Details
- CVE ID: CVE-2026-24858
- CVSS Score: 9.4 (Critical)
- CWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
## Affected Systems
- Products: FortiOS, FortiManager, FortiAnalyzer. (FortiWeb and FortiSwitch Manager might also be impacted; investigation ongoing.)
- Versions: Not explicitly listed in the summary, but implied to be previous to the patch release.
- Configurations: A specific condition is required: FortiCloud SSO authentication must be enabled on the device, which typically occurs when an administrator registers the device to FortiCare from the GUI or toggles the "Allow administrative login using FortiCloud SSO" switch. Default factory settings are not vulnerable.
## Vulnerability Description
The vulnerability is an Authentication Bypass flaw associated with the FortiOS Single Sign-On (SSO) mechanism leveraging FortiCloud. A successfully authenticated attacker possessing a FortiCloud account and a registered device can leverage this flaw to bypass authentication and log into *other* devices registered to different accounts, provided those devices have FortiCloud SSO enabled.
## Exploitation
- Status: Exploited in the wild. CISA has added this to the KEV catalog.
- Complexity: Likely low, given reports of active exploitation being abused to create persistent local admin accounts and exfiltrate configurations.
- Attack Vector: Network (Requires the attacker to have a registered FortiCloud account and the target device must have the prerequisite configuration).
## Impact
- Confidentiality: High (Access gained allowed for firewall configuration exfiltration).
- Integrity: High (Attackers created local admin accounts and made configuration changes).
- Availability: Potentially high, via unauthorized configuration changes or denial of service (though not explicitly confirmed for DoS).
## Remediation
### Patches
- Fortinet has begun releasing security updates. Customers are required to upgrade to the **latest firmware versions** to secure the FortiCloud SSO authentication functionality.
### Workarounds
- If an issue is detected, treat the device as potentially breached and perform the following actions:
1. Ensure the device is running the latest firmware version.
2. Restore configuration from a known clean version, or audit thoroughly for unauthorized changes.
3. Rotate all credentials, including any LDAP/AD accounts connected to the affected FortiGate devices.
- Fortinet specifically disabled the ability for vulnerable versions to log in via FortiCloud SSO on January 26, 2026, and re-enabled it on January 27, 2026, *only* for devices running patched versions.
## Detection
- Indicators of Compromise: Unauthorized creation of local administrator accounts; unauthorized configuration changes, especially related to granting VPN access.
- Detection Methods and Tools: Audit device logs for unusual SSO activity originating from FortiCloud accounts, particularly authentication attempts to devices not associated with the originating credentials. CISA mandates remediation for federal agencies by January 30, 2026.
## References
- Vendor Advisory: hXXps://fortiguard.fortinet.com/psirt/FG-IR-26-060
- CISA KEV Catalog: hXXps://www.cisa.gov/news-events/alerts/2026/01/27/cisa-adds-one-known-exploited-vulnerability-catalog