Key Takeaway
CVE-2026-24858 is an authentication bypass flaw in Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy that allows any valid FortiCloud account holder to authenticate against devices registered to other FortiCloud accounts when SSO is enabled. Exploitation requires no privileges on the target device and grants direct administrative access, posing severe risk in MSP and multi-tenant environments. CISA mandates federal agency remediation by January 30, 2026; organizations should immediately disable FortiCloud SSO and audit device access logs pending patch availability.
CVE-2026-24858: Fortinet FortiCloud SSO Authentication Bypass Exposes Cross-Account Device Access
CVE ID: CVE-2026-24858 Vendor: Fortinet Affected Products: FortiAnalyzer, FortiManager, FortiOS, FortiProxy Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel (CWE-288) CISA Federal Patch Deadline: January 30, 2026
Vulnerability Overview
Fortinet has disclosed an authentication bypass vulnerability affecting FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. The flaw, tracked as CVE-2026-24858, exists in the FortiCloud Single Sign-On (SSO) authentication flow and allows an attacker holding any legitimate FortiCloud account to authenticate against devices registered to entirely separate FortiCloud accounts.
The vulnerability is classified as an authentication bypass via an alternate path or channel. Rather than exploiting a memory corruption bug or injection flaw, the attacker abuses a logic error in how FortiCloud SSO validates device-account binding during authentication. The SSO mechanism fails to enforce strict account-to-device ownership checks, meaning a valid FortiCloud credential—regardless of which account it belongs to—can satisfy the authentication requirement on a target device when FortiCloud SSO is enabled.
Technical Details
The attack vector requires two conditions: the attacker must hold a valid FortiCloud account (any account, not necessarily privileged), and the target device must have FortiCloud SSO authentication enabled. No additional credentials, exploits, or elevated access to the target organization's infrastructure are needed beyond knowing that the target device is registered with FortiCloud.
This is a network-accessible attack. The attacker does not require physical access or a foothold inside the victim's network perimeter. Any FortiGate firewall, FortiProxy gateway, FortiAnalyzer log management appliance, or FortiManager network management system with FortiCloud SSO enabled is potentially reachable if the management interface is exposed.
No CVSS score has been published at the time of this advisory. Given the low attack complexity, no required privileges on the target device, and the potential for direct administrative access, organizations should treat this as a critical-severity issue until Fortinet publishes an official severity rating.
Real-World Impact
Successful exploitation grants an attacker unauthorized administrative access to the affected device. The practical consequences vary by product:
- FortiOS / FortiGate: An attacker can modify firewall policies, create VPN backdoors, exfiltrate configuration data, or disable security controls entirely.
- FortiManager: Administrative compromise allows an attacker to push malicious configurations to all managed FortiGate devices across an organization's estate.
- FortiAnalyzer: An attacker gains access to centralized log data, which may include sensitive network telemetry, authentication events, and forensic artifacts. Logs can also be tampered with or deleted to cover tracks.
- FortiProxy: Compromise enables interception or manipulation of proxied web traffic.
Organizations using FortiCloud SSO for centralized identity management—a common configuration in managed service provider (MSP) environments and large distributed enterprises—carry the highest exposure. MSPs managing multiple customer tenants through a shared FortiCloud infrastructure face a particularly acute risk: a single compromised or malicious FortiCloud account could be used to pivot across multiple customer environments if SSO is uniformly enabled.
CISA has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog and mandated that federal civilian executive branch (FCEB) agencies remediate by January 30, 2026. While CISA's mandate applies specifically to federal agencies, the inclusion in KEV strongly implies active exploitation or a high likelihood of imminent exploitation.
Affected Versions
Fortinet has not yet published a complete version matrix at the time of this advisory. Organizations should consult the official Fortinet Product Security Incident Response Team (PSIRT) advisory at https://www.fortiguard.com/psirt to confirm which specific firmware and software versions are vulnerable across FortiAnalyzer, FortiManager, FortiOS, and FortiProxy product lines.
Mitigation and Patching Guidance
Immediate actions, in priority order:
-
Disable FortiCloud SSO authentication on all affected devices. Navigate to each device's authentication configuration and revert to local authentication or an alternative identity provider that does not rely on FortiCloud SSO. This removes the attack vector entirely until patches are available.
-
Restrict management interface access. If FortiCloud SSO cannot be immediately disabled, place all management interfaces behind a dedicated, access-controlled management VLAN or VPN. Block public internet access to FortiManager, FortiAnalyzer, and FortiOS/FortiProxy management ports at the network perimeter.
-
Audit FortiCloud account activity. Pull access logs from all affected devices and cross-reference authentication events against the list of expected FortiCloud accounts associated with your organization. Flag and investigate any authentication events from unrecognized FortiCloud account identifiers.
-
Review FortiManager-pushed configurations. If FortiManager is in scope, audit recent configuration pushes to managed devices for unauthorized policy changes, new administrative accounts, VPN configurations, or modified routing rules.
-
Apply vendor patches as released. Monitor Fortinet's PSIRT advisory page and apply patches to all affected products as Fortinet publishes them. Federal agencies must achieve full remediation by January 30, 2026, per CISA's KEV directive.
-
Rotate FortiCloud credentials. Treat all FortiCloud account credentials as potentially exposed. Rotate passwords and review which accounts have device registration privileges within your FortiCloud tenant.
Organizations using MSP-managed Fortinet infrastructure should contact their service providers immediately to confirm the status of FortiCloud SSO across managed devices and request audit logs covering the past 90 days.
References
- Fortinet PSIRT Advisory: https://www.fortiguard.com/psirt
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA Binding Operational Directive 22-01: https://www.cisa.gov/binding-operational-directive-22-01
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.