Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858

Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.¹

Users are vulnerable to CVE-2026-24858 even if they updated Fortinet devices to address previously disclosed FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 [CWE-347: Improper Verification of Cryptographic Signature]² CVE-2025-59718 and CVE-2025-59719 affect FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.³  On Fortinet devices that had been fully upgraded to the latest release addressing CVE-2025-59718 and CVE-2025-59719 at the time of CVE-2026-24858 exploitation, Fortinet observed the following malicious activity:

• Unauthorized firewall configuration changes on FortiGate devices.
• Unauthorized creation of accounts.
• Unauthorized configuration changes of virtual private networks (VPNs) to grant access to new accounts.⁴ 

According to Fortinet, on Jan. 26, 2026, Fortinet disabled all FortiCloud SSO authentication to mitigate CVE-2026-24858, then reinstated the service on Jan. 27, 2026, with changes to prevent exploitation of vulnerable devices.  

CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog on Jan. 27, 2026.

CISA urges users to check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet’s instructions:

• Administrative FortiCloud SSO authentication bypass
• Analysis of Single Sign-On Abuse on FortiOS

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

Notes

1. Fortinet, “Administrative FortiCloud SSO Authentication Bypass,” FortiGuard Labs, last modified January 27, 2026, https://fortiguard.fortinet.com/psirt/FG-IR-26-060.
2. Fortinet, “Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass,” FortiGuard Labs, last modified December 9, 2025, https://fortiguard.fortinet.com/psirt/FG-IR-25-647.
3. Carl Windsor, “Analysis of Single Sign-On Abuse on FortiOS,” PSIRT Blogs (blog), Fortinet, last modified January 22, 2026, https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios.
4. Arctic Wolf Labs, “Arctic Wolf Observes Malicious Configuration Changes on Fortinet FortiGate Devices via SSO Accounts,” Arctic Wolf Blog (blog), Arctic Wolf, last modified January 21, 2026, https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/.