MDR
Solutions
Partners
About
Resources
A critical authentication bypass vulnerability has been identified across multiple Fortinet products, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. The flaw affects deployments where FortiCloud SSO authentication is enabled and allows unauthorized administrative access across devices registered to different FortiCloud accounts. Successful exploitation can result in full administrative access to affected systems. The vulnerability has been confirmed as actively exploited in the wild. It does not affect default factory configurations unless FortiCloud SSO login has been explicitly enabled.
CVE
CVE-2026-24858
Targeting / Delivery Mechanism
The vulnerability can be exploited by an attacker with a FortiCloud account and a registered device. If FortiCloud SSO is enabled on vulnerable systems, the attacker may authenticate to other registered devices via an alternate authentication path. Observed exploitation includes SSO logins from attacker-controlled accounts followed by creation of local administrative users for persistence.
Execution Technique
The issue is classified as Authentication Bypass Using an Alternate Path or Channel (CWE-288). Improper validation of FortiCloud SSO authentication allows unauthorized cross-account device access.
Persistence / Deployment
Post-authentication activity includes downloading configuration files and creating new local super_admin accounts (e.g., audit, secadmin, support) to maintain persistent access even if SSO access is revoked.
Operational Impact
Risk is Critical across government and business entities of all sizes. Successful exploitation grants administrative control over firewalls and management appliances, potentially enabling configuration tampering, VPN manipulation, credential harvesting, lateral movement, or full network compromise.
Validate Integrity
Determine whether FortiCloud SSO login is enabled. Review administrative login logs for suspicious SSO accounts (e.g., cloud-init@mail.io, cloud-noc@mail.io) and anomalous source IP addresses, including Cloudflare-associated IP ranges. Audit for newly created local admin accounts and unexpected configuration exports. Treat any confirmed IOC presence as a full compromise scenario.
Respond to Confirmed Compromise
Upgrade immediately to the fixed firmware versions for each affected branch. Restore configurations from known-good backups and audit all administrative accounts. Remove unauthorized users, rotate credentials (including LDAP/AD integrations), and revalidate VPN and firewall policies. If IOCs are present, treat the configuration as compromised.
Strengthen Preventative Controls
Apply Fortinet stable channel updates following testing. Restrict or disable FortiCloud SSO if not operationally required. Enforce least privilege for administrative accounts and segment management interfaces from untrusted networks. Implement continuous vulnerability scanning and monitoring for abnormal administrative activity.
References
https://www.fortiguard.com/psirt/FG-IR-26-060
https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694
https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)