CVE-2026-24858: FortiCloud SSO Authentication Bypass Under Active Exploitation

Critical vulnerability allows attackers with a FortiCloud account to access Fortinet devices registered by other organizations. CISA added it to the KEV catalog with a CVSS score of 9.4.

Dédalo Team Security
· 4 min read
#security#vulnerability#fortinet#cve

On January 27, 2026, Fortinet published a critical advisory about CVE-2026-24858, a vulnerability that allows an attacker with a FortiCloud account to access Fortinet devices registered by other organizations. No sophisticated exploit is needed: it’s enough for the target device to have FortiCloud SSO enabled.

CISA added the CVE to the Known Exploited Vulnerabilities (KEV) catalog the same day. The assigned severity is CVSS 9.4.

What this vulnerability allows

CVE-2026-24858 is an authentication bypass classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). An attacker with a valid FortiCloud account and at least one registered device can authenticate to devices belonging to other organizations if those devices have FortiCloud SSO login enabled.

Affected products include:

  • FortiOS (versions 7.6.x through 7.6.5)
  • FortiManager (7.6.x through 7.6.5)
  • FortiAnalyzer (7.6.x through 7.6.5)
  • FortiProxy (7.6.x through 7.6.4)
  • FortiWeb (7.6.x and 8.0.x through 8.0.3)

An important detail: FortiCloud SSO is not enabled by default in factory configuration. However, when an administrator registers the device in FortiCare from the GUI, the option “Allow administrative login using FortiCloud SSO” remains active unless manually unchecked during registration.

What the attackers did

Fortinet confirmed that the vulnerability was actively exploited by at least two malicious FortiCloud accounts, which were blocked on January 22, 2026. On compromised devices, the attackers performed the following actions:

  • Downloaded complete configuration files
  • Created administrative accounts with generic names: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, sv
  • Modified VPN configurations to grant persistent access to the new accounts

This behavior pattern indicates that the attackers sought persistence and long-term access, not just an opportunistic intrusion.

Fortinet’s response

On January 26, Fortinet temporarily disabled all FortiCloud SSO authentication as a containment measure. The service was restored on January 27 with changes to prevent exploitation on vulnerable devices.

Patched versions available so far:

  • FortiOS 7.6.6
  • FortiOS 7.4.11

Patches for FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb are under development and will be released soon according to Fortinet.

Immediate action checklist

If your organization operates Fortinet devices, especially those exposed to the internet:

  • Verify if FortiCloud SSO is enabled on each device (check FortiCare/FortiCloud configuration)
  • Review authentication logs for recently created administrative accounts
  • Specifically search for accounts named: audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, sv
  • Update FortiOS to version 7.6.6 or 7.4.11
  • If indicators of compromise are detected: rotate all administrative credentials
  • Restore configuration from a clean backup prior to January 22
  • Review VPN configurations for unauthorized modifications
  • Restrict administrative access to edge devices from known IP addresses

Context: not the first time

This vulnerability appears shortly after CVE-2025-59718 and CVE-2025-59719, which involved SAML message bypasses in Fortinet products. CVE-2026-24858 exists independently and is not resolved by patches for those earlier vulnerabilities.

The pattern of critical vulnerabilities in edge devices (firewalls, VPN concentrators, gateways) has repeated frequently in recent years, affecting multiple vendors. Fortinet, Palo Alto, Cisco, Ivanti, and other manufacturers have had to respond to zero-days in their perimeter security products.

The operational lesson is clear: perimeter security devices are high-value targets. They require the same level of monitoring and vulnerability management as any critical server. This includes:

  • Active subscription to vendor advisories
  • Defined process for applying emergency patches
  • Restriction of administrative access to internal networks or specific IPs
  • Monitoring of configuration changes and account creation

It’s not enough to install a firewall and forget about it. The perimeter also needs defense.

At Dédalo we help organizations assess their exposure to critical vulnerabilities and implement effective patching processes. If you need to review your security posture on edge devices, we can coordinate an assessment.