Context
CISA published an alert on January 28, 2026, regarding active exploitation of vulnerability CVE-2026-24858 affecting multiple Fortinet products. This flaw was added to CISA’s KEV (Known Exploited Vulnerabilities) catalog on January 27, 2026. Fortinet has released patches and recommendations to remediate this critical authentication bypass vulnerability.
Technical Description of the Vulnerability
CVE-2026-24858 is an authentication bypass vulnerability using an alternate path or channel (CWE-288). It affects FortiOS, FortiManager, FortiAnalyzer, and FortiProxy. The assigned CVSS v3 score is 9.4 (critical).
The vulnerability allows an attacker with a FortiCloud account and a registered device to log into other devices registered to other user accounts, if FortiCloud SSO authentication is enabled on those devices.
The FortiCloud SSO login feature is not enabled by default in factory settings. However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the “Allow administrative login using FortiCloud SSO” toggle in the registration page, FortiCloud SSO login is enabled upon registration.
Timeline of Events
- January 20, 2026: Multiple Fortinet customers report compromised FortiGate firewalls with unauthorized local administrator account creation, despite running the latest FortiOS versions including patches for CVE-2025-59718
- January 22, 2026: Fortinet locks out two malicious FortiCloud accounts identified as responsible for the exploitations
- January 26, 2026: Fortinet disables FortiCloud SSO authentication on the cloud side to mitigate CVE-2026-24858
- January 27, 2026: Fortinet reinstates the service with modifications preventing exploitation of vulnerable devices and publishes PSIRT advisory FG-IR-26-060. CISA adds CVE-2026-24858 to the KEV catalog
- January 28, 2026: CISA alert publication with remediation recommendations
Relationship with Previous Vulnerabilities
CVE-2026-24858 is a distinct vulnerability from previously patched flaws CVE-2025-59718 and CVE-2025-59719 (CWE-347: Improper Verification of Cryptographic Signature). The latter affected FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager and allowed malicious actors to bypass SSO authentication via a crafted SAML message.
Compromised devices had been fully upgraded to the latest versions addressing CVE-2025-59718 and CVE-2025-59719 at the time of CVE-2026-24858 exploitation.
Observed Malicious Activity
Fortinet documented the following malicious activities on fully updated FortiGate devices:
- Unauthorized firewall configuration changes
- Unauthorized creation of local administrator accounts
- Unauthorized VPN configuration changes to grant access to new accounts
Administrator accounts created by attackers included the following names:
- audit
- backup
- itadmin
- secadmin
- support
- backupadmin
- deploy
- remoteadmin
- security
- svc
The two malicious FortiCloud accounts identified as responsible for the exploitation were locked out on January 22, 2026.
Affected Products
The following products are affected by CVE-2026-24858:
- FortiOS
- FortiManager
- FortiAnalyzer
- FortiProxy
The vulnerability only affects devices with FortiCloud SSO authentication enabled.
Patched Versions
Fortinet has begun releasing patched versions. FortiOS 7.4.11 addresses the vulnerability. Additional versions for FortiOS, FortiManager, and FortiAnalyzer are being released.
Remediation Measures
CISA recommends users take the following actions:
- Check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability
- Immediately apply updates as soon as they are available using Fortinet’s instructions
Fortinet strongly recommends customers upgrade their devices to patched versions as soon as they become available. Disabling FortiCloud SSO login on the client side is not necessary as Fortinet has deployed a fix in the cloud environment preventing connections from devices running vulnerable versions.
For organizations wishing to disable the FortiCloud SSO feature locally, the procedure is as follows:
- Via GUI: System > Settings, toggle off “Allow administrative login using FortiCloud SSO”
- Via CLI: use the appropriate command documented in the security advisory
BOD 22-01 Directive
Binding Operational Directive (BOD) 22-01 establishes the KEV catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
The remediation deadline for FCEB agencies is set for January 30, 2026.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV catalog vulnerabilities as part of their vulnerability management practice.
Enjoy !
References
- CISA Alert: Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858 (January 28, 2026) https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026
- Fortinet PSIRT Advisory FG-IR-26-060: Administrative FortiCloud SSO Authentication Bypass (January 27, 2026) https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- Fortinet Blog: Analysis of Single Sign-On Abuse on FortiOS (January 22, 2026) https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
- CISA Known Exploited Vulnerabilities Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Arctic Wolf Blog: Arctic Wolf Observes Malicious Configuration Changes on Fortinet FortiGate Devices via SSO Accounts (January 21, 2026) https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/
- NVD: CVE-2026-24858 https://nvd.nist.gov/vuln/detail/CVE-2026-24858
