Fortinet Releases Critical Patch for CVE-2026-24858 Amid Active Exploitation
Fortinet has issued critical security updates to address a severe vulnerability in FortiOS, identified as CVE-2026-24858, which has been actively exploited in the wild. This flaw, with a CVSS score of 9.4, pertains to an authentication bypass within FortiOS’s single sign-on (SSO) feature. The vulnerability also affects FortiManager and FortiAnalyzer, with ongoing investigations to determine if other products, such as FortiWeb and FortiSwitch Manager, are impacted.
The vulnerability allows an attacker possessing a FortiCloud account and a registered device to access other devices registered to different accounts, provided that FortiCloud SSO authentication is enabled on those devices. Notably, the FortiCloud SSO login feature is disabled by default and becomes active only when an administrator registers the device to FortiCare via the device’s GUI, unless they have explicitly disabled the Allow administrative login using FortiCloud SSO option.
This development follows Fortinet’s recent confirmation that unidentified threat actors have been exploiting a new attack path to achieve SSO logins without authentication. These unauthorized accesses have been used to create local admin accounts for persistent access, modify configurations to grant VPN access to these accounts, and exfiltrate firewall configurations.
In response to these incidents, Fortinet has implemented several measures over the past week:
– On January 22, 2026, the company locked out two malicious FortiCloud accounts ([email protected] and [email protected]).
– On January 26, 2026, Fortinet disabled FortiCloud SSO on the FortiCloud side.
– On January 27, 2026, FortiCloud SSO was re-enabled, but the option to log in from devices running vulnerable versions was disabled.
Consequently, customers must upgrade to the latest software versions to restore FortiCloud SSO functionality. Fortinet advises users who detect signs of compromise to treat their devices as breached and recommends the following actions:
– Ensure the device is running the latest firmware version.
– Restore configuration from a known clean version or audit for any unauthorized changes.
– Rotate credentials, including any LDAP/AD accounts connected to the FortiGate devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by January 30, 2026.
On January 28, 2026, CISA issued additional guidance, noting that the vulnerability allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud SSO is enabled on those devices. Customers using these products are urged to upgrade to the latest versions to restore FortiCloud SSO services.
Fortinet is still investigating the exposure of FortiSwitch Manager to this security flaw. The company has confirmed that the issue is limited to FortiCloud SSO and does not affect third-party SAML IdP or FortiAuthenticator implementations.
Given the active exploitation of this vulnerability, it is imperative for organizations using affected Fortinet products to apply the necessary patches promptly to secure their systems against potential threats.
