Key Findings:

• Fortinet has released security updates to address a critical flaw (CVE-2026-24858, CVSS 9.4) impacting FortiOS, FortiManager, and FortiAnalyzer.

• The vulnerability is an authentication bypass related to the FortiCloud single sign-on (SSO) feature, which can allow an attacker with a FortiCloud account and a registered device to access other devices registered to different accounts.

• The vulnerability is actively being exploited in the wild, with Fortinet confirming two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) were blocked on January 22, 2026.

• Fortinet has taken steps to mitigate the issue, including disabling FortiCloud SSO on January 26, 2026, and then re-enabling it on January 27, 2026, while blocking vulnerable versions from accessing the service.

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to remediate the issues by January 30, 2026.

Background

The vulnerability, CVE-2026-24858, is described as an "Authentication Bypass Using an Alternate Path or Channel" issue (CWE-288) in FortiOS, FortiManager, and FortiAnalyzer. It can allow an attacker with a FortiCloud account and a registered device to log into other devices registered to different accounts, if FortiCloud SSO authentication is enabled on those devices.

Fortinet noted that the FortiCloud SSO login feature is not enabled by default. It is only activated when an administrator registers the device to FortiCare via the GUI, unless they explicitly disable the "Allow administrative login using FortiCloud SSO" option.

Exploitation and Mitigation

Fortinet confirmed that the vulnerability was being actively exploited by two malicious FortiCloud accounts, which were blocked on January 22, 2026. The company then disabled FortiCloud SSO on January 26, 2026, and re-enabled it on January 27, 2026, with the caveat that vulnerable versions would be blocked from accessing the service.

As a workaround, Fortinet suggested that administrators can manually disable FortiCloud SSO on FortiOS, FortiProxy, FortiManager, and FortiAnalyzer via the GUI or CLI until the systems are fully patched.

Ongoing Threats and Investigations

Fortinet is still investigating whether other products, such as FortiWeb and FortiSwitch Manager, are impacted by the vulnerability. The company has also confirmed that attackers have found a "new attack path" to bypass the patches for previous critical FortiCloud SSO flaws (CVE-2025-59718 and CVE-2025-59719), which were disclosed and exploited in December 2025.

Arctic Wolf researchers have reported observing a new automated attack cluster targeting FortiGate devices since January 15, 2026. The activity resembles the December 2025 campaign, involving malicious SSO logins, firewall configuration changes, and the creation of secondary admin accounts for persistence.

Fortinet is working on a fix to address the latest attack path and plans to release an advisory in the near future. The company is urging customers to ensure their devices are running the latest firmware version, restore configurations with known clean versions, and rotate credentials, including any LDAP/AD accounts connected to the FortiGate devices.

Sources

• https://securityaffairs.com/187426/security/fortinet-patches-actively-exploited-fortios-sso-auth-bypass-cve-2026-24858.html

• https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html

• https://www.threads.com/@thehackernews/post/DUC9E54D3YZ/fortinet-issues-patch-update-for-actively-exploited-forti-os-sso-flaw-the-fix

• https://x.com/TheHackersNews/status/2016374062818443536