Security Advisory: CVE-2026-24858 – FortiCloud SSO Exploitation Risk
Advisory ID: CVE-2026-24858
Severity: Critical
CVSSv3 Score: 9.8
Published Date: January 27, 2026
CISA KEV Inclusion: Yes
Summary
A critical authentication bypass vulnerability affecting multiple Fortinet products using FortiCloud Single Sign-On (SSO) is being actively exploited. An attacker with a valid FortiCloud account and a registered device could gain administrative access to other devices where SSO was enabled.
FortiCloud SSO is not enabled by default, but exposure may occur when the feature was activated during device registration. Fortinet has implemented cloud-side protections to block SSO logins from vulnerable devices, but applying vendor-recommended updates is required to fully remediate the issue.
Who is Affected?
Organizations running FortiOS, FortiManager, FortiAnalyzer, FortiProxy, or FortiWeb with FortiCloud SSO enabled should assume potential exposure. Devices registered through FortiCare with SSO enabled during registration may also be at risk, even if the feature was not intentionally configured.
Affected Versions and Required Updates
FortiAnalyzer
- 7.6.0–7.6.5 → Upgrade to 7.6.6 or later
- 7.4.0–7.4.9 → Upgrade to 7.4.10 or later
- 7.2.0–7.2.11 → Upgrade to 7.2.12 or later
- 7.0.0–7.0.15 → Upgrade to 7.0.16 or later
- 6.4 → Not affected
FortiManager
- 7.6.0–7.6.5 → Upgrade to 7.6.6 or later
- 7.4.0–7.4.9 → Upgrade to 7.4.10 or later
- 7.2.0–7.2.11 → Upgrade to 7.2.12 or later
- 7.0.0–7.0.15 → Upgrade to 7.0.16 or later
- 8.0 and 6.4 → Not affected
FortiOS
- 7.6.0–7.6.5 → Upgrade to 7.6.6 or later
- 7.4.0–7.4.10 → Upgrade to 7.4.11 or later
- 7.2.0–7.2.12 → Upgrade to 7.2.13 or later
- 7.0.0–7.0.18 → Upgrade to 7.0.19 or later
- 8.0 and 6.4 → Not affected
FortiProxy
- 7.6.0–7.6.4 → Upgrade to 7.6.6 or later
- 7.4.0–7.4.12 → Upgrade to 7.4.13 or later
- 7.2.0–7.2.15 → Upgrade to 7.2.16 or later
- 7.0.0–7.0.22 → Upgrade to 7.0.23 or later
FortiWeb
- 8.0.0–8.0.3 → Upgrade to 8.0.4 or later
- 7.6.0–7.6.6 → Upgrade to 7.6.7 or later
- 7.4.0–7.4.11 → Upgrade to 7.4.12 or later
- 7.2 and 7.0 → Not affected
Vulnerability Details
CVE-2026-24858 – Authentication Bypass Using an Alternate Path or Channel (CWE-288)
This vulnerability allows improper trust validation through FortiCloud SSO. An attacker could authenticate to other devices where SSO is enabled, potentially gaining administrative access without needing stolen local credentials.
Observed attacker activity includes:
- Downloading device configuration files
- Add an admin account to get persistence
Indicators of Compromise
Suspicious SSO login accounts observed:
Local admin accounts created by attackers:
audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system, adccount
Organizations should review authentication logs and administrative accounts for any unauthorized access or unfamiliar users.
Action Required
All affected systems should be upgraded to the latest patched versions listed above. Fortinet’s cloud-side protections prevent login from vulnerable devices but do not eliminate the need to apply vendor-recommended updates to fully remediate risk.
Support and Assistance
Xiologix is available to help assess environments, apply updates, and validate configurations. For organizations supported through our Managed Services, we have already begun reviewing affected devices and implementing remediation measures.
