Fortinet has confirmed active exploitation of a critical authentication bypass vulnerability affecting several of its core security platforms, warning customers to urgently review configurations and apply available updates.
The flaw, tracked as CVE-2026-24858 and rated 9.4 on the Common Vulnerability Scoring System (CVSS), affects FortiOS, FortiManager, FortiProxy and FortiAnalyzer when FortiCloud single sign-on (SSO) is enabled.
The vulnerability could allow an attacker who had a FortiCloud account and a registered device to perform SSO on other customer’s devices via an unintended SSO authentication path.
Fortinet said threat actors used the access to create new local administrator accounts, enable virtual private network (VPN) access, and extract firewall configuration data.
The company also explained that while FortiCloud SSO is not enabled by default, it can be automatically activated during FortiCare registration unless administrators manually disable it.
Exploitation Observed on Fully Patched Systems
First reports of these types of attacks were received by customers late in January 2026, and they were initially thought to have been caused by similar types of attacks against FortiCloud SSO that were reported and fixed in December 2025.
However, investigations revealed that some compromised devices were running the latest available firmware, indicating a previously unknown attack path.
As a result, Fortinet removed two malicious FortiCloud accounts that were being used in the attacks, turned off FortiCloud SSO at the service level until server side controls could be implemented to block authentication to vulnerable software versions, and then restored FortiCloud SSO.
Due to these measures, organizations must upgrade to supported releases for FortiCloud SSO to function again.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, setting a remediation deadline of Jan. 30, 2026 for Federal Civilian Executive Branch agencies.
Fortinet advises organizations that detect indicators of compromise (IoC) to treat affected devices as breached.
Recommended actions include restoring configurations from known-clean backups, auditing all administrator accounts, rotating credentials, and reassessing SSO settings.
