Article Title: Fortinet Releases Critical Patch for FortiOS SSO Vulnerability Amid Active Exploitation
Fortinet has issued critical security updates to address a severe vulnerability in FortiOS, identified as CVE-2026-24858, which has been actively exploited in the wild. This flaw, with a CVSS score of 9.4, pertains to an authentication bypass in FortiOS’s single sign-on (SSO) feature and also affects FortiManager and FortiAnalyzer. The company is currently investigating whether other products, such as FortiWeb and FortiSwitch Manager, are similarly impacted.
The vulnerability allows an attacker with a FortiCloud account and a registered device to log into other devices registered to different accounts if FortiCloud SSO authentication is enabled on those devices. Notably, the FortiCloud SSO login feature is not enabled by default; it becomes active when an administrator registers the device to FortiCare via the device’s GUI, unless they have explicitly disabled the Allow administrative login using FortiCloud SSO option.
This development follows Fortinet’s recent confirmation that unidentified threat actors have been exploiting a new attack path to achieve SSO logins without authentication. These unauthorized accesses have been used to create local admin accounts for persistence, modify configurations to grant VPN access to these accounts, and exfiltrate firewall configurations.
In response to these incidents, Fortinet has taken several measures over the past week:
– On January 22, 2026, the company locked out two malicious FortiCloud accounts ([email protected] and [email protected]).
– On January 26, 2026, Fortinet disabled FortiCloud SSO on the FortiCloud side.
– On January 27, 2026, FortiCloud SSO was re-enabled, but the option to log in from devices running vulnerable versions was disabled.
Consequently, customers must upgrade to the latest software versions for FortiCloud SSO authentication to function properly. Fortinet advises users who detect signs of compromise to treat their devices as breached and recommends the following actions:
– Ensure the device is running the latest firmware version.
– Restore configuration with a known clean version or audit for any unauthorized changes.
– Rotate credentials, including any LDAP/AD accounts connected to the FortiGate devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by January 30, 2026.
