Full Report
Fortinet security advisory (AV26-059) – Update 1
Analysis Summary
# Vulnerability: Critical Authentication Bypass in Fortinet Products (AV26-059 Update 1)
## CVE Details
- CVE ID: CVE-2026-24858
- CVSS Score: (Severity not explicitly provided in text, classified as Critical due to in-the-wild exploitation)
- CWE: (Not available in source text)
## Affected Systems
- Products: FortiAnalyzer, FortiManager, FortiOS, FortiProxy
- Versions:
- FortiAnalyzer: 7.6.0 to 7.6.5, 7.4.0 to 7.4.9, 7.2.0 to 7.2.11, 7.0.0 to 7.0.15
- FortiManager: 7.6.0 to 7.6.5, 7.4.0 to 7.4.9, 7.2.0 to 7.2.11, 7.0.0 to 7.0.15
- FortiOS: 7.6.0 to 7.6.5, 7.4.0 to 7.4.10, 7.2.0 to 7.2.12, 7.0.0 to 7.0.18
- FortiProxy: 7.6.0 to 7.6.4, 7.4.0 to 7.4.12, All versions of 7.2.x and 7.0.x
- Configurations: Impacting devices utilizing FortiCloud SSO authentication.
## Vulnerability Description
The vulnerability is described as an Administrative FortiCloud SSO authentication bypass. Successful exploitation allows an attacker to circumvent standard authentication mechanisms when using FortiCloud Single Sign-On.
## Exploitation
- Status: Exploited in the wild.
- Complexity: (Not explicitly stated, but exploitation in the wild suggests manageable complexity for threat actors).
- Attack Vector: (Implied Network/Remote due to nature of SSO bypass).
## Impact
- Confidentiality: High (Likely unauthorized access to administrative functions)
- Integrity: High (Likely unauthorized configuration changes)
- Availability: Medium/High (Depending on the scope of administrative access achieved)
## Remediation
### Patches
Users must upgrade to versions later than those listed above. Specific fixed versions were not detailed in this update but must be checked against the official Fortinet advisory (FG-IR-26-060).
### Workarounds
Fortinet has disabled FortiCloud SSO from devices running vulnerable versions. Clients must upgrade to the latest versions for the FortiCloud SSO authentication to function correctly. This suggests that environments relying solely on the vulnerable SSO implementation are currently non-functional or restricted until patching occurs.
## Detection
- Status: Added to the CISA Known Exploited Vulnerabilities (KEV) Database, indicating active exploitation is confirmed.
- Detection methods and tools: Review network activity related to FortiCloud SSO authentication processes for anomalies, specifically focusing on failed or suspicious login attempts following implementation of the temporary vendor fix (SSO disabled).
## References
- Vendor Advisories: hXXps://fortiguard.fortinet.com/psirt/FG-IR-26-060
- CISA KEV: hXXps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858
- Fortinet PSIRT Advisories: hXXps://www.fortiguard.com/psirt?filter=1&version=&severity=5&severity=4&severity=3&severity=2