Critical Fortinet SSO Flaw Exploited: CVE-2026-24858 Patch Now

Fortinet has disclosed **CVE-2026-24858**, a critical authentication bypass vulnerability affecting FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. Attackers are actively exploiting this flaw to make unauthorized configuration changes, create accounts, and compromise VPNs. Fortinet has released patches and temporary mitigations—users must act **immediately** to secure their systems.

---
title: "Critical Fortinet SSO Flaw Exploited: CVE-2026-24858 Patch Now"
short_title: "Fortinet SSO vulnerability actively exploited"
description: "Fortinet urges immediate patching of CVE-2026-24858, an authentication bypass flaw in FortiOS, FortiManager, and more. Attackers exploit it to hijack devices."
author: "Vitus"
date: 2024-02-20
categories: [Cybersecurity, Vulnerabilities]
tags: [fortinet, cve-2026-24858, authentication bypass, sso, cybersecurity]
score: 0.95
cve_ids: [CVE-2026-24858, CVE-2025-59718, CVE-2025-59719]
---

TL;DR


Fortinet has disclosed CVE-2026-24858, a critical authentication bypass vulnerability affecting FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. Attackers are actively exploiting this flaw to make unauthorized configuration changes, create accounts, and compromise VPNs. Fortinet has released patches and temporary mitigations—users must act immediately to secure their systems.

---

Main Content

Critical Fortinet SSO Vulnerability Under Active Exploitation


A newly disclosed authentication bypass vulnerability in Fortinet’s FortiCloud single sign-on (SSO) feature is being actively exploited in the wild. Tracked as CVE-2026-24858, this flaw allows threat actors with a FortiCloud account and a registered device to gain unauthorized access to other users' devices, including FortiGate firewalls, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer.

This vulnerability persists even on devices patched for previous FortiCloud SSO flaws (CVE-2025-59718 and CVE-2025-59719), underscoring the urgency of applying the latest updates.

---

Key Points


- CVE-2026-24858 enables attackers to bypass authentication and log in to devices registered to other users if FortiCloud SSO is enabled.
- Active exploitation has been observed, including unauthorized firewall configuration changes, account creation, and VPN access modifications.
- Fortinet temporarily disabled FortiCloud SSO authentication on January 26, 2026, to mitigate the flaw, restoring it the following day with fixes.
- The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog on January 27, 2026.
- Users must check for indicators of compromise (IoCs) and apply patches immediately using Fortinet’s official guidance.

---

Technical Details


#### Vulnerability Overview
- CVE ID: CVE-2026-24858
- CWE ID: [CWE-288: Authentication Bypass Using an Alternate Path or Channel](https://cwe.mitre.org/data/definitions/288.html)
- Affected Products:
- FortiOS
- FortiManager
- FortiWeb
- FortiProxy
- FortiAnalyzer
- Condition for Exploitation: FortiCloud SSO must be enabled on the target device.

#### Exploitation Mechanism
Attackers with a valid FortiCloud account and a registered device can craft malicious requests to bypass authentication. This grants them access to devices belonging to other users, even if those devices were patched for earlier SSO vulnerabilities (CVE-2025-59718 and CVE-2025-59719).

#### Observed Malicious Activity
Fortinet and third-party security researchers, including Arctic Wolf Labs, have documented the following malicious activities:
- Unauthorized modifications to FortiGate firewall configurations.
- Creation of rogue user accounts with elevated privileges.
- Alterations to VPN settings to grant attackers persistent access.

---

Impact Assessment


#### Scope of Impact
- High Severity: This vulnerability poses a critical risk to organizations using Fortinet products with FortiCloud SSO enabled.
- Widespread Exploitation: The flaw is being actively exploited, increasing the likelihood of targeted attacks against unpatched systems.
- Business Risks:
- Data Breaches: Unauthorized access can lead to sensitive data exposure.
- Network Compromise: Attackers can pivot from compromised devices to infiltrate broader network infrastructure.
- Operational Disruption: Malicious configuration changes can disrupt business operations and cause downtime.

#### Who Is at Risk?
- Organizations using FortiOS, FortiManager, FortiWeb, FortiProxy, or FortiAnalyzer with FortiCloud SSO enabled.
- Enterprises that have not applied the latest patches for CVE-2026-24858, CVE-2025-59718, or CVE-2025-59719.

---

Mitigation Steps


Fortinet has released emergency guidance to address CVE-2026-24858. Users must take the following steps immediately:

1. Apply Patches:
- Follow Fortinet’s official patching instructions for [CVE-2026-24858](https://fortiguard.fortinet.com/psirt/FG-IR-26-060).
- Ensure all affected devices are updated to the latest firmware versions.

2. Temporary Mitigation:
- If patching is not immediately possible, disable FortiCloud SSO until updates can be applied.

3. Check for Indicators of Compromise (IoCs):
- Review device logs for unauthorized configuration changes, new accounts, or VPN modifications.
- Monitor network traffic for suspicious activity originating from Fortinet devices.

4. Follow CISA’s Guidance:
- Refer to CISA’s [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) for additional recommendations.

---

Affected Systems


The following Fortinet products are affected by CVE-2026-24858 if FortiCloud SSO is enabled:
- FortiOS
- FortiManager
- FortiWeb
- FortiProxy
- FortiAnalyzer

Earlier vulnerabilities (CVE-2025-59718 and CVE-2025-59719) also impacted:
- FortiSwitch Manager

---

Conclusion


CVE-2026-24858 represents a critical threat to organizations relying on Fortinet’s FortiCloud SSO for authentication. With active exploitation already underway, immediate action is required to patch vulnerable systems, disable SSO if necessary, and monitor for signs of compromise.

Failure to address this vulnerability could result in severe security breaches, including unauthorized access, data theft, and network infiltration. Organizations must prioritize patching and adhere to Fortinet’s and CISA’s guidance to mitigate risks effectively.

---

References


[^1]: Fortinet. "[Administrative FortiCloud SSO Authentication Bypass](https://fortiguard.fortinet.com/psirt/FG-IR-26-060)". FortiGuard Labs. Retrieved 2024-02-20.
[^2]: Fortinet. "[Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass](https://fortiguard.fortinet.com/psirt/FG-IR-25-647)". FortiGuard Labs. Retrieved 2024-02-20.
[^3]: Windsor, Carl. "[Analysis of Single Sign-On Abuse on FortiOS](https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios)". Fortinet PSIRT Blogs. Retrieved 2024-02-20.
[^4]: Arctic Wolf Labs. "[Arctic Wolf Observes Malicious Configuration Changes on Fortinet FortiGate Devices via SSO Accounts](https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/)". Arctic Wolf Blog. Retrieved 2024-02-20.
[^5]: CISA. "[Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)". Retrieved 2024-02-20.

Related CVEs