Fortinet has started rolling out security updates to fix a critical vulnerability in FortiOS, which has recently been actively exploited in the wild.
The flaw, tracked as CVE-2026-24858 with a CVSS score of 9.4, is an authentication bypass issue linked to FortiOS single sign-on (SSO). This vulnerability also impacts FortiManager and FortiAnalyzer, while Fortinet continues to investigate potential effects on other products such as FortiWeb and FortiSwitch Manager.
According to a company advisory, “An Authentication Bypass Using an Alternate Path or Channel [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to access other devices registered to different accounts if FortiCloud SSO authentication is enabled.”
It is important to note that FortiCloud SSO is not enabled by default. The feature is activated only when an administrator registers the device to FortiCare through the device GUI and explicitly enables the “Allow administrative login using FortiCloud SSO” option.
This update follows confirmation from Fortinet that unknown threat actors were exploiting a new attack vector to bypass authentication, enabling SSO logins without credentials. Malicious actors used this access to create local administrator accounts, modify configurations to allow VPN access, and exfiltrate firewall settings.
Over the past week, Fortinet has implemented several mitigation steps:
- January 22, 2026: Locked two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io)
- January 26, 2026: Disabled FortiCloud SSO from the FortiCloud side
- January 27, 2026: Re-enabled FortiCloud SSO, but blocked logins from devices with vulnerable software versions
Customers are advised to upgrade to the latest firmware to ensure FortiCloud SSO functions correctly. Fortinet also recommends treating devices as compromised if there are signs of intrusion and taking the following actions:
- Update devices to the latest firmware version
- Restore configuration from a known clean backup or audit for unauthorized changes
- Rotate all credentials, including LDAP/AD accounts linked to FortiGate devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issue by January 30, 2026.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
