Executive Summary

Fortinet has released urgent guidance to address CVE-2026-24858, a critical authentication bypass vulnerability in its FortiCloud Single Sign-On (SSO) service that is under active exploitation. The flaw allows a malicious actor to use their own FortiCloud account to gain unauthorized access to other customers' devices managed via the SSO feature. Attackers have been observed making unauthorized configuration changes, creating rogue admin accounts, and modifying VPN settings. The vulnerability impacts major Fortinet products like FortiOS, FortiManager, and FortiAnalyzer. In response to the immediate threat, CISA has added CVE-2026-24858 to its KEV catalog. Fortinet temporarily disabled the SSO service to apply a fix and is urging all customers to apply updates and inspect their devices for indicators of compromise.

Vulnerability Details

CVE-2026-24858 is a critical authentication bypass vulnerability. It resides within the FortiCloud SSO mechanism, which is designed to centralize and simplify user authentication across various Fortinet products. The core of the issue is that the SSO service failed to properly validate the tenancy of a user, allowing an attacker authenticated to their own FortiCloud account to access and manage devices belonging to a completely different customer account.

• Attack Vector: An attacker with any FortiCloud account can exploit this flaw over the network against any vulnerable device with FortiCloud SSO enabled.
• Prerequisites: The target device must have FortiCloud SSO enabled for administrative login.
• Impact: Successful exploitation grants the attacker administrative access to the target device, leading to a full compromise. This includes the ability to alter firewall rules, exfiltrate data, create new admin accounts, and establish persistent access.

Significantly, this vulnerability allowed attackers to bypass patches for previous, related SSO flaws (CVE-2025-59718 and CVE-2025-59719), indicating a deeper logic flaw in the authentication process.

Affected Systems

The vulnerability affects a broad range of Fortinet's portfolio when the FortiCloud SSO feature is enabled. Products include:

• FortiOS
• FortiManager
• FortiWeb
• FortiProxy
• FortiAnalyzer

Exploitation Status

This vulnerability is being actively exploited in the wild. Fortinet confirmed it observed malicious activity where attackers leveraged the flaw to make unauthorized changes to customer devices. These observations, coupled with reports from customers seeing suspicious logins on fully patched devices, triggered the emergency response. On January 27, 2026, CISA added CVE-2026-24858 to its KEV catalog, requiring federal agencies to remediate but also serving as a critical warning to all organizations using these products.

Impact Assessment

The impact of this vulnerability is critical. Gaining administrative control over network security appliances like FortiGate firewalls is a worst-case scenario. An attacker can:

• Disable Security: Completely turn off firewall rules, intrusion prevention, and other security features.
• Data Exfiltration: Reconfigure the device to siphon network traffic to an attacker-controlled server.
• Lateral Movement: Create VPN tunnels or firewall rules that allow the attacker to pivot from the compromised appliance into the internal corporate network.
• Persistence: Create hidden administrative accounts to maintain long-term access even after the primary vulnerability is patched.
• Disruption: Cause a denial of service by misconfiguring the device or deleting its configuration.

Given that Fortinet products are widely used to protect network perimeters, a compromise can serve as a gateway for ransomware deployment, espionage, and large-scale data breaches.

Cyber Observables for Detection

CISA and Fortinet urge administrators to hunt for the following indicators of compromise:

Detection & Response

1. Audit Logs: Immediately review administrative login logs on all internet-facing Fortinet devices. Scrutinize all successful logins that used the FortiCloud SSO method. Any login from an unrecognized source IP or that does not correlate with legitimate administrator activity should be considered suspicious.

2. Configuration Review: Perform a full audit of the device configuration. Specifically look for:

   • Recently created local user accounts.
   • Modifications to user groups, especially those with administrative rights.
   • Changes to VPN portals, settings, and associated user groups.
   • New or modified firewall policies, NAT rules, or static routes.

3. D3FEND Techniques for Detection:

   • D3-LAM: Local Account Monitoring: This is critical for detecting the creation of rogue administrator accounts on the Fortinet device.
   • D3-UGLPA: User Geolocation Logon Pattern Analysis: Analyzing login locations can help identify anomalous access patterns inconsistent with known administrator locations.

Remediation Steps

1. Disable SSO (Temporary): As an immediate containment step, administrators can disable FortiCloud SSO for admin login and revert to local authentication until patching is complete.

2. Apply Updates: Fortinet has reinstated the FortiCloud SSO service with the necessary server-side fixes. Customers should ensure their devices are running versions that incorporate the client-side patches and that they have re-established their connection to the patched FortiCloud service.

3. Investigate for Compromise: It is not enough to simply patch. Due to the active exploitation, all organizations using this feature must assume compromise and perform a thorough investigation based on the detection steps outlined above. If any signs of compromise are found, initiate the organization's incident response plan, revoke any unauthorized credentials, and restore configurations from a known-good backup.