Fortinet has begun releasing security updates to address a critical flaw impacting FortiOS that has come under active exploitation in the wild.
The vulnerability, assigned the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been described as an authentication bypass related to FortiOS single sign-on (SSO). The flaw also affects FortiManager and FortiAnalyzer. The company said it’s continuing to investigate if other products, including FortiWeb and FortiSwitch Manager, are impacted by the flaw.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” Fortinet said in an advisory released Tuesday.
It’s worth noting that the FortiCloud SSO login feature is not enabled in the default factory settings. It’s only turned on in scenarios where an administrator registers the device to FortiCare from the device’s GUI, unless they have taken steps to explicitly toggle the “Allow administrative login using FortiCloud SSO” switch.
The development comes days after Fortinet confirmed that unidentified threat actors were abusing a “new attack path” to achieve SSO logins without requiring any authentication. The access was abused to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate those firewall configurations.
Over the past week, the network security vendor said it has taken the following steps –
- Locked out two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) on January 22, 2026
- Disabled FortiCloud SSO on the FortiCloud side on January 26, 2026
- Re-enabled FortiCloud SSO on January 27, 2026, while disabling the option to login from devices running vulnerable versions
In other words, customers are required to upgrade to the latest versions of the software for the FortiCloud SSO authentication to function. Fortinet is also urging users who detect signs of compromise to treat their devices as breached and recommends the following actions –
- Ensure the device is running the latest firmware version
- Restore configuration with a known clean version or audit for any unauthorized changes
- Rotate credentials, including any LDAP/AD accounts that may be connected to the FortiGate devices
The development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to remediate the issues by January 30, 2026.
Update
On January 28, 2026, CISA issued additional guidance for CVE-2026-24858, noting that it allows “malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign-on (SSO) is enabled on devices.”
Customers of FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb are all affected and should upgrade to the latest version to restore FortiCloud SSO services.
Fortinet is still investigating FortiSwitch Manager for its exposure to the security flaw. The company has since confirmed that the issue only impacts FortiCloud SSO and does not affect third-party SAML IdP or FortiAuthenticator implementations.
The agency is also urging users to “check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet’s instructions.”
