Fortinet has begun releasing FortiOS versions that fix CVE-2026-24858, a critical zero-day vulnerability that allowed attackers to log into targeted organizations’ FortiGate firewalls.
“This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on [January 22, 2026],” the company shared.
About CVE-2026-24858
On January 20, several Fortinet customers revealed that attackers gained access to their FortiGate firewalls and created new local admin accounts despite the devices running the then-latest FortiOS versions.
Those releases included patches for CVE-2025-59718, a previously exploited vulnerability that similarly allowed attackers to bypass authentication on vulnerable, internet-accessible devices.
Affected users speculated that CVE-2025-59718 hadn’t been adequately fixed, but Fortinet now says that the attackers leveraged a separate security vulnerability: CVE-2026-24858.
CVE-2026-24858 is an “authentication bypass using an alternate path or channel vulnerability” vulnerability that may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts (if FortiCloud SSO authentication is enabled on those devices).
The vulnerability affects FortiOS, the proprietary OS running on Fortinet’s firewalls, as well as FortiAnalyzer, the company’s logging, analytics, and reporting platform, and FortiManager, its platform for managing Fortinet security devices.
Like CVE-2025-59718 before it, CVE-2026-24858 is only exploitable on devices that have the FortiCloud SSO login feature enabled.
What to do?
CVE-2026-24858 has been fixed in FortiOS 7.4.11 and other FortiOS, FortiManager and FortiAnalyzer versions are to be released shortly.
Fortinet advises customers to upgrade when these fixed versions become available and not to bother with disabling FortiCloud SSO login on the client side.
“To protect its customers from further exploit, Fortinet disabled FortiCloud SSO on FortiCloud side on [January 26, 2026]. It was re-enabled on [January 27, 2026] and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions (…) for the FortiCloud SSO authentication to function,” the company explained.
Fortinet has also expanded the initial list of IP addresses and account names used in these latest attacks.
Fortinet’s advice to customers continues to include security best practices, such as restricting administrative access to edge network devices over the internet or limiting, via local-in policies, the IP addresses allowed to access the administrative interface.
Organizations that have not done so should check their logs for known indicators of compromise and suspicious admin accounts. If any are found, they should rotate credentials and restore the device configuration from a known clean version.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!