Fortinet published a PSIRT advisory on January 27 assigning CVE-2026-24858 (CVSS 9.4) to a critical FortiCloud SSO authentication bypass that has been actively exploited since mid-January. The flaw allows anyone with a FortiCloud account to authenticate to other customers’ FortiGate, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer devices—if FortiCloud SSO is enabled.
Vulnerability overview
| Attribute | Value |
|---|
| CVE | CVE-2026-24858 |
| CVSS score | 9.4 (Critical) |
| Vulnerability type | Authentication Bypass Using an Alternate Path or Channel |
| CWE | CWE-288 |
| Exploit status | Actively exploited |
| CISA KEV added | January 27, 2026 |
| Federal remediation deadline | February 18, 2026 |
How the vulnerability works
CVE-2026-24858 is caused by improper access control in FortiCloud SSO:
| Attack requirement | Details |
|---|
| Authentication | Any valid FortiCloud account |
| Registered device | Attacker needs any device registered to FortiCloud |
| Target requirement | FortiCloud SSO enabled on victim device |
| User interaction | None required |
| Network position | Remote exploitation possible |
An attacker who has registered any device to FortiCloud can exploit the flaw to authenticate to devices registered by other customers.
FortiCloud SSO exposure
| Metric | Value |
|---|
| Exposed instances (Shadowserver) | ~10,000 globally |
| US-based instances | ~25% of exposed devices |
| Default state | Disabled |
| Auto-enable condition | Turns on when device registered with FortiCare |
FortiCloud SSO is not enabled by default, but Fortinet notes it turns on automatically when a device is registered with FortiCare unless explicitly disabled afterward.
Discovery and exploitation timeline
| Date | Event |
|---|
| January 15, 2026 | Arctic Wolf observes unauthorized FortiGate configuration changes |
| January 21, 2026 | Fortinet customers report compromised devices via FortiCloud SSO |
| January 22, 2026 | Arctic Wolf confirms attacks appear automated |
| January 26, 2026 | Fortinet disables all FortiCloud SSO to mitigate exploitation |
| January 27, 2026 | Fortinet publishes advisory, assigns CVE-2026-24858 |
| January 27, 2026 | CISA adds to KEV catalog |
| January 27, 2026 | Fortinet re-enables FortiCloud SSO with blocks for vulnerable devices |
| January 28, 2026 | Fortinet begins releasing patches |
Attack methodology
Arctic Wolf reported the attacks appeared fully automated, completing the entire attack sequence within seconds:
| Phase | Action |
|---|
| 1 | Authenticate via FortiCloud SSO to victim device |
| 2 | Create backdoor administrator accounts |
| 3 | Create VPN-enabled accounts for persistent access |
| 4 | Exfiltrate firewall configurations |
Common rogue account names
| Account name | Purpose |
|---|
audit | Backdoor admin |
backup | Backdoor admin |
itadmin | Backdoor admin |
secadmin | Backdoor admin |
remoteadmin | Backdoor admin |
Exfiltrated configuration value
| Data type | Risk |
|---|
| LDAP/AD credentials | Lateral movement into Active Directory |
| VPN settings | Persistent remote access |
| Firewall rules | Network reconnaissance |
| Admin credentials | Further device compromise |
| Service account passwords | Privilege escalation |
Third FortiCloud SSO bypass in months
CVE-2026-24858 is the third critical FortiCloud SSO authentication bypass disclosed recently:
| CVE | Disclosure | Type |
|---|
| CVE-2025-59718 | December 2025 | SSO bypass (internally discovered) |
| CVE-2025-59719 | December 2025 | Cryptographic signature bypass |
| CVE-2026-24858 | January 2026 | Net-new authentication bypass |
CVE-2025-59718 and CVE-2025-59719 details
| Attribute | Details |
|---|
| Discovery | Fortinet internal code audit |
| CVE-2025-59719 type | Improper Verification of Cryptographic Signature (CWE-347) |
| Impact | Unauthenticated bypass via crafted SAML message |
| Affected products | FortiOS, FortiWeb, FortiProxy, FortiSwitchManager |
Organizations that patched for the earlier CVEs remained vulnerable to CVE-2026-24858 until Fortinet’s January 27 mitigations.
Affected products
| Product | Affected if SSO enabled |
|---|
| FortiOS | Yes |
| FortiManager | Yes |
| FortiWeb | Yes |
| FortiProxy | Yes |
| FortiAnalyzer | Yes |
Patch availability
| Product | Fixed version | Release date |
|---|
| FortiOS | 7.4.11 | January 27, 2026 |
| FortiManager | Forthcoming | TBD |
| FortiAnalyzer | Forthcoming | TBD |
| FortiWeb | Forthcoming | TBD |
| FortiProxy | Forthcoming | TBD |
Fortinet’s track record
Fortinet products have appeared frequently on CISA’s Known Exploited Vulnerabilities catalog:
| Metric | Value |
|---|
| Total KEV appearances since 2021 | 24 |
| KEV entries in 2025 | ~8 (one-third of total) |
| Used in ransomware campaigns | 13 vulnerabilities |
The repeated discovery of critical flaws in the same authentication mechanism raises questions about the underlying architecture.
| Priority | Action |
|---|
| Critical | Apply FortiOS 7.4.11 immediately |
| Critical | Disable FortiCloud SSO if patching isn’t possible |
| Critical | Audit all admin accounts for unauthorized entries |
Disabling FortiCloud SSO
config user setting
set forticloud-sso disable
end
Compromise assessment
| Check | Location |
|---|
| Admin accounts | System > Administrators |
| VPN accounts | User & Authentication > User Definition |
| Configuration changes | System > Event Logs |
| Firewall rules | Policy & Objects > Firewall Policy |
If compromise detected
| Action | Purpose |
|---|
| Rotate all credentials | Including LDAP/AD service accounts |
| Restore from known-good backup | Remove unauthorized changes |
| Review VPN logs | Identify unauthorized access |
| Block management interface | Remove internet exposure |
| Engage incident response | Full forensic investigation |
Strategic considerations
The pattern of repeated critical authentication bypasses in FortiCloud SSO suggests organizations should evaluate whether the convenience of cloud-based single sign-on justifies the risk exposure for security infrastructure.
| Consideration | Assessment |
|---|
| SSO convenience | Reduced credential management |
| Attack surface | Expanded by cloud integration |
| Repeated bypasses | Three critical CVEs in months |
| Management exposure | Internet-reachable by design |
Recommendations
For Fortinet customers
| Priority | Action |
|---|
| Immediate | Patch to FortiOS 7.4.11 |
| Immediate | Audit for rogue accounts |
| High | Review need for FortiCloud SSO |
| High | Implement management network segmentation |
| Ongoing | Monitor Fortinet PSIRT advisories |
For security teams
| Priority | Action |
|---|
| High | Add FortiCloud SSO to vulnerability scanning |
| High | Review all Fortinet device configurations |
| Medium | Consider alternative management approaches |
| Ongoing | Track Fortinet KEV additions |
CISA guidance
CISA released an alert on January 28, 2026, advising organizations to:
- Apply patches immediately when available
- Disable FortiCloud SSO on devices without patches
- Audit for indicators of compromise
- Report suspicious activity to CISA
The federal remediation deadline of February 18, 2026, applies to all FCEB (Federal Civilian Executive Branch) agencies. Private organizations should treat this timeline as a best practice.
Context
CVE-2026-24858 exemplifies the security challenges of cloud-integrated network infrastructure. The ability for any FortiCloud account holder to authenticate to arbitrary customer devices represents a fundamental architectural failure that wasn’t caught until active exploitation.
The automated nature of the attacks—completing full compromise sequences in seconds—indicates sophisticated threat actors with advance knowledge of the vulnerability. Organizations should assume that any device with FortiCloud SSO enabled during the exploitation window may be compromised and conduct thorough forensic analysis.
