Fortinet has addressed a critical authentication bypass vulnerability, CVE-2026-24858, affecting FortiOS, FortiManager, FortiAnalyzer, FortiWeb and FortiProxy. The vulnerability, with a CVSS score of 9.4, is actively exploited in the wild, making it crucial for organizations to apply the necessary patches immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgency for Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by January 30, 2026.
Root Cause and Exploitation
The root cause of CVE-2026-24858 is classified as an “Authentication Bypass Using an Alternate Path or Channel” (CWE-288). The flaw exists within the FortiCloud Single Sign-On (SSO) login mechanism. While this feature is not enabled by default, it is automatically activated when an administrator registers a device to FortiCare via the GUI, unless the “Allow administrative login using FortiCloud SSO” option is explicitly disabled.
Attackers exploit this vulnerability by leveraging a “new attack path” that enables them to obtain SSO logins without valid authentication credentials. Specifically, an attacker with their own FortiCloud account and a registered device can log into other devices registered to entirely different accounts, provided those target devices have FortiCloud SSO enabled. Once inside, threat actors have been observed using two malicious accounts, [email protected] and [email protected], to automate the creation of local admin accounts for persistence, modify configurations to grant VPN access, and exfiltrate sensitive firewall configuration files.
Affected Products
According to the Fortinet PSIRT Advisory FG-IR-26-060, the following products and versions are affected:
| Product | Affected Versions |
| FortiOS | 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 7.0.0 through 7.0.18 |
| FortiManager | 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15 |
| FortiAnalyzer | 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15 |
| FortiProxy | 7.4.0 through 7.4.5, 7.2.0 through 7.2.13, 7.0.0 through 7.0.19 |
| FortiWeb | 7.4.0 through 7.4.11, 7.6.0 through 7.6.6, 8.0.0 through 8.0.3 |
| FortiSwitch Manager | Under Investigation |
Tactics, Techniques, and Procedures (TTPs)
The exploitation of this vulnerability and subsequent post-compromise activity involve multiple MITRE ATT&CK tactics. Attackers have been observed using automated scripts to perform rapid configuration exports and account creations.
| Tactic | Tactic ID | Technique | Technique ID |
| Persistence | TA0003 | Valid Accounts; Boot or Logon Autostart Execution: Registry Run Keys | T1078; T1547.001 |
| Privilege Escalation | TA0004 | Exploitation for Privilege Escalation | T1068 |
| Credential Access | TA0006 | Modify Authentication Process | T1556 |
| Discovery | TA0007 | Data from Information Repositories | T1213 |
| Execution | TA0002 | Command and Scripting Interpreter | T1059 |
| Exfiltration | TA0010 | Automated Exfiltration | T1020 |
Mitigation & Recommendations
To address CVE-2026-24858, Fortinet has released patches and implemented server-side restrictions. FortiOS 7.4.11 and subsequent releases for other products contain the necessary fixes.
On January 26, 2026, Fortinet temporarily disabled FortiCloud SSO globally and re-enabled it on January 27 with a block in place for any devices running vulnerable versions. Consequently, upgrading to the latest software versions is mandatory for FortiCloud SSO to function.
If you suspect a compromise, follow these steps:
- Update Firmware: Immediately upgrade to the latest patched version.
- Audit for Changes: Restore configurations from a known clean version and check for unauthorized admin accounts or VPN settings.
- Credential Rotation: Rotate all credentials, including LDAP/AD accounts connected to FortiGate devices.
- Restrict Access: Use local-in policies to limit administrative access to trusted IP addresses only.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.