Fortinet Patches Actively Exploited CVE-2026-24858 in FortiOS SSO

Fortinet vulnerability CVE-2026-24858 FortiOS SSO authentication bypass FortiManager FortiAnalyzer cybersecurity patch management
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
January 28, 2026 3 min read
Fortinet Patches Actively Exploited CVE-2026-24858 in FortiOS SSO

TL;DR

  • Fortinet has issued critical security updates for FortiOS, FortiManager, and FortiAnalyzer to address CVE-2026-24858, an actively exploited authentication bypass vulnerability. This flaw allows unauthorized access via FortiCloud SSO. The article details the vulnerability, impacted versions, and provides specific steps for patching and workarounds to mitigate the risk.

Fortinet Patches Actively Exploited FortiOS SSO Authentication Bypass (CVE-2026-24858)

Fortinet has released security updates to address a critical vulnerability, CVE-2026-24858, affecting FortiOS, FortiManager, and FortiAnalyzer. This flaw is under active exploitation in the wild. CISA has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability involves an Authentication Bypass Using an Alternate Path or Channel.

Vulnerability Details

CVE-2026-24858 has a CVSS score of 9.4. It allows an attacker with a FortiCloud account and a registered device to potentially log into other devices registered to different accounts if FortiCloud SSO authentication is enabled. According to Fortinet, the FortiCloud SSO login feature is not enabled in default factory settings. It is enabled when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page.

Impacted Products and Versions

The vulnerability affects the following products and versions:

  • FortiAnalyzer 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
  • FortiManager 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
  • FortiOS 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 7.0.0 through 7.0.18
  • FortiProxy 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2 all versions, 7.0 all versions
  • FortiWeb 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, 7.4.0 through 7.4.11

Fortinet is also investigating whether FortiWeb and FortiSwitch Manager are affected.

Remediation

Upgrade to the latest versions of the software. Follow the recommended upgrade path using Fortinet's upgrade tool.

Specific fixed versions include:

  • FortiAnalyzer: Upgrade to 7.6.6, 7.4.10, 7.2.12, or 7.0.16 (or later).
  • FortiManager: Upgrade to 7.6.6, 7.4.10, 7.2.13, or 7.0.16 (or later).
  • FortiOS: Upgrade to 7.6.6, 7.4.11, 7.2.13, or 7.0.19 (or later).
  • FortiProxy: Upgrade to 7.6.6 or 7.4.13 (or later), or migrate from 7.2 and 7.0 to a fixed release.
  • FortiWeb: Upgrade to 8.0.4, 7.6.7, or 7.4.12 (or later).

Workaround

Fortinet has disabled FortiCloud SSO login from devices running vulnerable versions. Disabling FortiCloud SSO login on the client side is not currently necessary but can be done as follows:

  • FortiOS and FortiProxy: Go to System -> Settings -> Switch "Allow administrative login using FortiCloud SSO" to Off. Alternatively, use the CLI command:
config system global
    set admin-forticloud-sso-login disable
end
  • FortiManager and FortiAnalyzer: Go to System Settings -> SAML SSO -> Switch "Allow admins to login with FortiCloud" to Off. Alternatively, use the CLI command:
config system saml
    set forticloud-sso disable
end

Indicators of Compromise (IOCs)

Fortinet has observed the following IOCs:

  • SSO Login User Accounts:
  • IP Addresses:
    • 104.28.244.115
    • 104.28.212.114
    • 104.28.212.115
    • 104.28.195.105
    • 104.28.195.106
    • 104.28.227.106
    • 104.28.227.105
    • 104.28.244.114 *Additional IPs observed by a third party, not Fortinet:
    • 37\[.\]1.209.19
    • 217\[.\]119.139.50
  • Malicious Local Account Creation:
    • audit
    • backup
    • itadmin
    • secadmin
    • support
    • backupadmin
    • deploy
    • remoteadmin
    • security
    • svcadmin
    • system
  • Attacker Operations:
    • Download customer config file
    • Add an admin account for persistence

Actions to Take if Compromised

If you detect signs of compromise, Fortinet recommends treating devices as breached and taking the following actions:

  • Ensure the device is running the latest firmware version.
  • Restore configuration with a known clean version or audit for any unauthorized changes.
  • Rotate credentials, including any LDAP/AD accounts connected to the FortiGate devices.

Gopher Security's AI-Powered, Post-Quantum Zero-Trust Architecture

As highlighted by the Fortinet vulnerability, robust security measures are crucial to protect against unauthorized access and potential breaches. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, offering a comprehensive solution to converge networking and security across diverse environments. Our platform utilizes peer-to-peer encrypted tunnels and quantum-resistant cryptography to ensure your data remains secure, even against advanced threats.

By implementing Gopher Security's Zero-Trust architecture, organizations can enhance their security posture and mitigate the risks associated with vulnerabilities like CVE-2026-24858. Our platform provides continuous authentication and authorization, ensuring that only verified users and devices can access sensitive resources.

Explore how Gopher Security can help you build a resilient and secure network infrastructure. Contact us today to learn more about our services.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

Surge in Vulnerability Exploits: Cyber Intrusions Trends 2026
cybersecurity trends 2026

Surge in Vulnerability Exploits: Cyber Intrusions Trends 2026

Vulnerability exploits now drive 40% of cyberattacks as hackers weaponize flaws within hours. Learn why traditional patching is failing and how to adapt. Read more.

By Divyansh Ingle March 30, 2026 3 min read
common.read_full_article
Surge in Vulnerability Exploits Dominates 2026 Cyber Intrusions
Vulnerability Exploitation

Surge in Vulnerability Exploits Dominates 2026 Cyber Intrusions

Hackers are weaponizing zero-days within hours of disclosure, leaving traditional patch cycles in the dust. Learn how to bridge the security gap with MFA and Zero-Trust.

By Alan V Gutnov March 23, 2026 4 min read
common.read_full_article
Vulnerability Exploits Dominate Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Dominate Cyber Intrusions in 2026 Trends

Exploits are the leading cause of cyber intrusions, outpacing phishing. Discover the latest trends and essential strategies to protect your organization. Read now!

By Brandon Woo March 16, 2026 3 min read
common.read_full_article
CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article