In a significant move for cybersecurity, Fortinet has started rolling out vital security patches to address a serious flaw within FortiOS that is currently being actively exploited in various environments.
This particular vulnerability, known as CVE-2026-24858, boasts a high CVSS score of 9.4, indicating its critical nature. It has been identified as an authentication bypass issue related to the single sign-on (SSO) feature of FortiOS. Additionally, this flaw also impacts other products such as FortiManager and FortiAnalyzer. Fortinet is in the process of determining whether other offerings, including FortiWeb and FortiSwitch Manager, are similarly affected by this vulnerability.
According to Fortinet's advisory, which was issued on January 26, 2026, "An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, and FortiAnalyzer may allow an attacker possessing a FortiCloud account along with a registered device to gain access to other devices linked to different accounts, provided that FortiCloud SSO authentication is enabled on those devices." This means that if exploited, attackers could potentially infiltrate other users' devices, leading to unauthorized access and control.
It’s important to mention that the FortiCloud SSO login feature is not activated by default in factory settings. Administrators typically need to enable it manually when registering the device to FortiCare through the device's graphical user interface (GUI), unless they specifically toggle the option allowing administrative logins via FortiCloud SSO.
This alarming news comes shortly after Fortinet confirmed the discovery of unidentified threat actors who were exploiting what has been termed a "new attack path" to perform SSO logins without any form of authentication. The exploitation allowed these malicious actors to create local administrator accounts, alter configurations to provide VPN access to these accounts, and extract firewall configurations, raising serious concerns about network security.
In response to this situation, Fortinet has undertaken several critical actions over the past week:
1. On January 22, 2026, two fraudulent FortiCloud accounts, specifically cloud-noc@mail.io and cloud-init@mail.io, were disabled.
2. FortiCloud SSO was turned off on January 26, 2026, to mitigate risks.
3. On January 27, 2026, FortiCloud SSO was re-enabled, but with the stipulation that login from devices operating on vulnerable versions would be disabled.
This means that users must upgrade to the latest versions of the software to utilize FortiCloud SSO authentication securely. Moreover, Fortinet strongly advises any users who suspect their devices may have been compromised to consider these devices breached and recommends taking immediate action by:
- Ensuring that the device is updated to the latest firmware version.
- Restoring configurations from a known safe version or auditing for any unauthorized modifications.
- Rotating credentials, including any associated LDAP/AD accounts linked to FortiGate devices.
This situation has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include CVE-2026-24858 in its Known Exploited Vulnerabilities (KEV) catalog, which requires Federal Civilian Executive Branch (FCEB) agencies to address these vulnerabilities by January 30, 2026.
Are you concerned about this vulnerability? What steps do you think companies should take to protect their networks from such exploits? Share your thoughts in the comments — your opinion matters!
