Fortinet has started rolling out security updates to remediate a critical FortiOS vulnerability that is being actively exploited in the wild. The issue, tracked as CVE‑2026‑24858 with a CVSS score of 9.4, is an authentication bypass flaw tied to FortiOS single sign‑on (SSO) functionality. In addition to FortiOS, the vulnerability also affects FortiManager and FortiAnalyzer. Fortinet stated it is still assessing whether other products such as FortiWeb and FortiSwitch Manager may also be impacted.
In an advisory published Tuesday, Fortinet explained that the vulnerability stems from “Authentication Bypass Using an Alternate Path or Channel” (CWE‑288). Under certain conditions, an attacker who possesses a FortiCloud account and a registered device could authenticate to other devices registered to different FortiCloud accounts, provided FortiCloud SSO authentication is enabled on those systems.
Fortinet emphasized that FortiCloud SSO is not enabled by default in factory configurations. The feature is typically activated only when an administrator registers a device to FortiCare via the device GUI, unless the administrator explicitly enables the “Allow administrative login using FortiCloud SSO” option. The disclosure follows Fortinet’s confirmation that unknown threat actors exploited a newly identified attack path that allowed SSO logins without any authentication. According to the company, attackers leveraged this access to create local administrative accounts for persistence, modify configurations to grant VPN access, and exfiltrate firewall configuration data.
In response, Fortinet reported taking several immediate mitigation steps over the past week:
- January 22, 2026: Two malicious FortiCloud accounts were locked
- January 26, 2026: FortiCloud SSO was disabled on the FortiCloud backend
- January 27, 2026: FortiCloud SSO was re‑enabled, while blocking login attempts from devices running vulnerable software versions
As a result, customers must upgrade to patched software versions in order for FortiCloud SSO authentication to function going forward.
Fortinet is also urging customers who observe any indicators of compromise to treat affected systems as breached and take the following remediation actions:
- Verify the device is running the latest firmware release
- Restore configurations from a known good backup or audit for unauthorized changes
- Rotate all credentials, including any LDAP or Active Directory accounts associated with FortiGate devices
The severity of the issue prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE‑2026‑24858 to its Known Exploited Vulnerabilities (KEV) catalog. Under the directive, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the flaw no later than January 30, 2026.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
