Fortinet multiple products, authentication bypass via FortiCloud SSO (alternate-channel)

Overview

CVE-2026-24858 is a critical authentication bypass affecting a wide range of Fortinet products, including FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiWeb and FortiNAC-F. When FortiCloud single sign-on (SSO) authentication is enabled on a device, an attacker who holds any FortiCloud account and a registered device can authenticate to other devices registered to other accounts. Fortinet published advisory FG-IR-26-060 and confirmed the flaw was found being exploited in the wild by two malicious FortiCloud accounts, making it a zero-day. NVD lists the Fortinet CNA CVSS 3.1 base score of 9.8 (Fortinet's own headline score is 9.4) and a weakness of CWE-288. CISA added the CVE to its Known Exploited Vulnerabilities catalog on 27 January 2026.

Technical Details

The vulnerability is an authentication bypass using an alternate path or channel (CWE-288). The FortiCloud SSO login flow fails to correctly bind an authenticated FortiCloud identity to the specific device that identity is authorised to manage. As a result, the SSO channel accepts a valid FortiCloud session as proof of authorisation for devices belonging to unrelated tenants, letting an attacker pivot from their own registered device into others. Exploitation requires only a legitimate FortiCloud account and reachability to the target device's administrative login, with no exploitation of a memory or injection primitive.

Impact

• Cross-tenant administrative access to Fortinet devices using FortiCloud SSO
• Full takeover of affected FortiGate, FortiManager, FortiAnalyzer and related appliances
• Exposure of security policy, logs and managed-device inventories
• Confirmed in-the-wild abuse via malicious FortiCloud accounts

Mitigation

1. Upgrade FortiOS 7.6 to 7.6.6, 7.4 to 7.4.11, 7.2 to 7.2.13, and 7.0 to 7.0.19 or above.
2. Upgrade FortiProxy 7.6 to 7.6.5, 7.4 to 7.4.13, 7.2 to 7.2.16, and 7.0 to 7.0.23 or above.
3. Upgrade FortiManager and FortiAnalyzer 7.6 to 7.6.6, 7.4 to 7.4.10, 7.2 to 7.2.12, and 7.0 to 7.0.16 or above.
4. Upgrade FortiWeb 8.0 to 8.0.4, 7.6 to 7.6.7, and 7.4 to 7.4.12 or above; upgrade FortiNAC-F 7.6 to 7.6.6 or above.
5. As an immediate workaround, disable FortiCloud SSO administrative login on affected devices using the "Allow administrative login using FortiCloud SSO" setting or the equivalent CLI command.

Detection

• CISA added CVE-2026-24858 to the KEV catalog on 27 January 2026 with a near-immediate remediation due date.
• Review administrative login records for FortiCloud SSO logins that do not correspond to your own FortiCloud accounts or expected administrators.
• Audit which devices have FortiCloud SSO enabled, as only those are exploitable, and disable it where it is not required.
• Fortinet's PSIRT analysis of SSO abuse on FortiOS provides additional behavioural indicators for hunting unauthorised cross-account access.