Fortinet Patches Actively Exploited CVE-2026-24858 in FortiOS SSO

Fortinet vulnerability CVE-2026-24858 FortiOS SSO authentication bypass FortiManager FortiAnalyzer cybersecurity patch management
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
January 29, 2026 3 min read

TL;DR

Fortinet has issued critical security updates for FortiOS, FortiManager, and FortiAnalyzer to address CVE-2026-24858, an actively exploited authentication bypass vulnerability. This flaw allows unauthorized access via FortiCloud SSO. The article details the vulnerability, impacted versions, and provides specific steps for patching and workarounds to mitigate the risk.

Fortinet Patches Actively Exploited FortiOS SSO Authentication Bypass (CVE-2026-24858)

Fortinet has released security updates to address a critical vulnerability, CVE-2026-24858, affecting FortiOS, FortiManager, and FortiAnalyzer. This flaw is under active exploitation in the wild. CISA has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability involves an Authentication Bypass Using an Alternate Path or Channel.

Vulnerability Details

CVE-2026-24858 has a CVSS score of 9.4. It allows an attacker with a FortiCloud account and a registered device to potentially log into other devices registered to different accounts if FortiCloud SSO authentication is enabled. According to Fortinet, the FortiCloud SSO login feature is not enabled in default factory settings. It is enabled when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page.

Impacted Products and Versions

The vulnerability affects the following products and versions:

  • FortiAnalyzer 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
  • FortiManager 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
  • FortiOS 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 7.0.0 through 7.0.18
  • FortiProxy 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2 all versions, 7.0 all versions
  • FortiWeb 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, 7.4.0 through 7.4.11

Fortinet is also investigating whether FortiWeb and FortiSwitch Manager are affected.

Remediation

Upgrade to the latest versions of the software. Follow the recommended upgrade path using Fortinet's upgrade tool.

Specific fixed versions include:

  • FortiAnalyzer: Upgrade to 7.6.6, 7.4.10, 7.2.12, or 7.0.16 (or later).
  • FortiManager: Upgrade to 7.6.6, 7.4.10, 7.2.13, or 7.0.16 (or later).
  • FortiOS: Upgrade to 7.6.6, 7.4.11, 7.2.13, or 7.0.19 (or later).
  • FortiProxy: Upgrade to 7.6.6 or 7.4.13 (or later), or migrate from 7.2 and 7.0 to a fixed release.
  • FortiWeb: Upgrade to 8.0.4, 7.6.7, or 7.4.12 (or later).

Workaround

Fortinet has disabled FortiCloud SSO login from devices running vulnerable versions. Disabling FortiCloud SSO login on the client side is not currently necessary but can be done as follows:

  • FortiOS and FortiProxy: Go to System -> Settings -> Switch "Allow administrative login using FortiCloud SSO" to Off. Alternatively, use the CLI command:
config system global
    set admin-forticloud-sso-login disable
end
  • FortiManager and FortiAnalyzer: Go to System Settings -> SAML SSO -> Switch "Allow admins to login with FortiCloud" to Off. Alternatively, use the CLI command:
config system saml
    set forticloud-sso disable
end

Indicators of Compromise (IOCs)

Fortinet has observed the following IOCs:

  • SSO Login User Accounts:
  • IP Addresses:
    • 104.28.244.115
    • 104.28.212.114
    • 104.28.212.115
    • 104.28.195.105
    • 104.28.195.106
    • 104.28.227.106
    • 104.28.227.105
    • 104.28.244.114 *Additional IPs observed by a third party, not Fortinet:
    • 37\[.\]1.209.19
    • 217\[.\]119.139.50
  • Malicious Local Account Creation:
    • audit
    • backup
    • itadmin
    • secadmin
    • support
    • backupadmin
    • deploy
    • remoteadmin
    • security
    • svcadmin
    • system
  • Attacker Operations:
    • Download customer config file
    • Add an admin account for persistence

Actions to Take if Compromised

If you detect signs of compromise, Fortinet recommends treating devices as breached and taking the following actions:

  • Ensure the device is running the latest firmware version.
  • Restore configuration with a known clean version or audit for any unauthorized changes.
  • Rotate credentials, including any LDAP/AD accounts connected to the FortiGate devices.

Gopher Security's AI-Powered, Post-Quantum Zero-Trust Architecture

As highlighted by the Fortinet vulnerability, robust security measures are crucial to protect against unauthorized access and potential breaches. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, offering a comprehensive solution to converge networking and security across diverse environments. Our platform utilizes peer-to-peer encrypted tunnels and quantum-resistant cryptography to ensure your data remains secure, even against advanced threats.

By implementing Gopher Security's Zero-Trust architecture, organizations can enhance their security posture and mitigate the risks associated with vulnerabilities like CVE-2026-24858. Our platform provides continuous authentication and authorization, ensuring that only verified users and devices can access sensitive resources.

Explore how Gopher Security can help you build a resilient and secure network infrastructure. Contact us today to learn more about our services.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

CISA Adds Critical VMware vCenter RCE Flaw to Exploited Catalog
VMware vCenter vulnerability

CISA Adds Critical VMware vCenter RCE Flaw to Exploited Catalog

VMware vCenter Server vulnerability CVE-2024-37079 is actively exploited. CISA orders federal agencies to patch. Learn how to protect your critical infrastructure. Read more!

By Divyansh Ingle January 28, 2026 2 min read
common.read_full_article
Instagram Vulnerability Exposes Private Data of Millions
Instagram security

Instagram Vulnerability Exposes Private Data of Millions

Instagram's private posts exposed, millions affected by data breaches, and new location features pose risks. Discover how Gopher Security's AI-powered Zero-Trust architecture protects your data. Learn more!

By Brandon Woo January 27, 2026 4 min read
common.read_full_article
Closing the Cloud Complexity Gap: Insights from 2026 Security Reports
cloud security

Closing the Cloud Complexity Gap: Insights from 2026 Security Reports

Navigate the escalating complexity of cloud security. Discover how AI, Zero-Trust, and unified ecosystems are essential to combatting modern threats. Learn more!

By Divyansh Ingle January 26, 2026 6 min read
common.read_full_article
AI-Driven Cybersecurity Innovations: The Future of Threat Prevention
AI agents security

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention

AI agents are prime targets for cyberattacks. Discover evolving threats like prompt injection & AI-powered exploits, and learn how to fortify your defenses. Read now!

By Brandon Woo January 22, 2026 5 min read
common.read_full_article