Fortinet has begun releasing security updates to address critical flaws affecting FortiOS that are being exploited in the wild.
The vulnerability, assigned CVE identifier CVE-2026-24858 (CVSS score: 9.4), is described as an authentication bypass related to FortiOS single sign-on (SSO). This flaw also affects FortiManager and FortiAnalyzer. The company said it is continuing to investigate whether other products, such as FortiWeb and FortiSwitch Manager, are affected by this flaw.
“Authentication Bypass Vulnerability Using Alternate Paths or Channels” [CWE-288] “FortiOS, FortiManager, and FortiAnalyzer allow an attacker with a FortiCloud account and a registered device to log in to a device registered to another account if FortiCloud SSO authentication is enabled on the device,” Fortinet said in an advisory published Tuesday.
Note that the FortiCloud SSO login feature is not enabled by default factory settings. This is only turned on in scenarios where an administrator enrolls the device with FortiCare from the device GUI, unless steps are taken to explicitly toggle the “Allow administrative login using FortiCloud SSO” switch.
This development comes days after Fortinet confirmed that unidentified attackers were exploiting a “new attack path” to achieve SSO logins without requiring authentication. This access was exploited to create local administrator accounts for persistence, make configuration changes to allow those accounts VPN access, and compromise firewall configurations.
The network security vendor announced that it has taken the following actions over the past week.
Locked out two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) on January 22, 2026 FortiCloud SSO was disabled on the FortiCloud side on January 26, 2026 FortiCloud SSO was re-enabled on January 27, 2026, but the option to log in from a device running a vulnerable version was disabled
This means that for FortiCloud SSO authentication to work, customers must upgrade to the latest version of the software. Fortinet also urges users who detect indicators of compromise to treat their devices as compromised and recommends the following actions:
Make sure your device is running the latest firmware version. Restore the configuration to a known clean version or audit it for unauthorized changes. Rotate credentials, including LDAP/AD accounts, that may be connected to FortiGate devices.
Due to this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog and requires Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by January 30, 2026.
Source link
