The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical authentication bypass vulnerability in multiple Fortinet products, actively exploited in the wild.
Tracked as CVE-2026-24858, the flaw allows attackers with a FortiCloud account to hijack sessions on devices registered to other accounts when FortiCloud Single Sign-On (SSO) is enabled.
First disclosed by Fortinet on January 28, 2026, via PSIRT advisory FG-IR-26-060, the vulnerability has already drawn CISA’s attention for its potential in ransomware and lateral movement attacks.
FortiCloud SSO Authentication Bypass Vulnerability
CVE-2026-24858 stems from improper authentication handling in an alternate path or channel, mapped to CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Attackers exploit this by leveraging a compromised or controlled FortiCloud account tied to a registered device. They can then authenticate to unrelated FortiAnalyzer, FortiManager, FortiOS, or FortiProxy instances using SSO, bypassing standard credentials.
| CVE ID | Description | CVSS v3.1 Score | Severity | Affected Products | Patch Status |
|---|---|---|---|---|---|
| CVE-2026-24858 | Authentication bypass via alternate path/channel in FortiCloud SSO | 9.1 (Critical) | High | FortiAnalyzer, FortiManager, FortiOS, FortiProxy | Patched |
CVSS breakdown: Attack Vector (Network), Attack Complexity (Low), Privileges Required (Low), User Interaction (None), Scope (Unchanged), Confidentiality/Integrity/Availability (High). No public exploits exist yet, but Fortinet reports targeted abuse in SSO workflows.
Fortinet’s PSIRT blog details a real-world incident in which threat actors scanned for exposed FortiCloud SSO endpoints. Attackers registered low-privilege devices to their accounts, then pivoted to high-value targets like enterprise FortiGate firewalls running FortiOS.
This enables initial access, privilege escalation, and persistence, primed for ransomware deployment. While not confirmed in major campaigns, its low barrier aligns with tactics from groups like LockBit or ALPHV/BlackCat.
CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on January 29, 2026, urging federal agencies to patch within BOD 22-01 timelines. Private-sector exposure remains high: over 500,000 Fortinet devices worldwide use FortiCloud SSO, according to Shadowserver scans.
The flaw exploits SSO token validation gaps. An attacker authenticates legitimately to their device, captures a session token, and replays it against victim devices sharing the FortiCloud tenant.
No code execution occurs directly, but gaining admin access allows config dumps, VPN pivots, or malware staging. FortiProxy users face heightened risk in zero-trust setups.
Mitigations
Fortinet urges immediate upgrades:
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| FortiAnalyzer | 7.4.0-7.4.3 | 7.4.4+ |
| FortiManager | 7.6.0-7.6.2 | 7.6.3+ |
| FortiOS | 7.4.0-7.4.5 | 7.4.6+ |
| FortiProxy | 7.4.0-7.4.4 | 7.4.5+ |
Disable FortiCloud SSO if not needed, enforce MFA on FortiCloud accounts, and monitor for anomalous logins in FortiAnalyzer. Follow CISA’s BOD 22-01 for cloud services or decommission vulnerable setups. Organizations should scan NVD and FortiGuard for updates.
This vulnerability underscores SSO misconfigurations in hybrid cloud environments. Prompt patching is essential to thwart evolving threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
