Fortinet has released emergency patches for CVE-2026-24858, an authentication bypass vulnerability affecting FortiOS, FortiManager, and FortiAnalyzer that attackers exploited to create backdoor accounts and modify firewall configurations.
Fortinet has released critical security updates to address an authentication bypass vulnerability (CVE-2026-24858) in FortiOS after detecting active exploitation in the wild. The flaw, which carries a CVSS score of 9.4, enables attackers to bypass single sign-on (SSO) protections when FortiCloud authentication is enabled.
Vulnerability Details
The vulnerability (CWE-288) affects:
- FortiOS
- FortiManager
- FortiAnalyzer
Attackers could leverage a valid FortiCloud account to log into devices registered to other organizations' accounts when FortiCloud SSO authentication is enabled. While not enabled by default, the feature activates when administrators register devices to FortiCare through the GUI interface unless they explicitly disable the "Allow administrative login using FortiCloud SSO" option.
Active Exploitation Pattern
Security researchers observed attackers using this vulnerability to:
- Create persistent local administrator accounts
- Modify firewall configurations to grant VPN access
- Exfiltrate firewall configuration files
- Establish long-term network access
"This represents a new attack vector that bypasses traditional authentication controls," said John Hultquist, Chief Analyst at Mandiant. "Attackers are increasingly targeting identity and access management systems because they provide the keys to the kingdom."
Fortinet's Response Timeline
- January 22, 2026: Disabled two malicious FortiCloud accounts ([email protected] and [email protected])
- January 26, 2026: Temporarily disabled FortiCloud SSO authentication
- January 27, 2026: Re-enabled SSO with version checks blocking vulnerable systems
Required Actions
Organizations should immediately:
- Upgrade to patched versions:
- FortiOS 7.6.4 or later
- FortiManager 7.6.4 or later
- FortiAnalyzer 7.6.4 or later
- Audit configurations for unauthorized changes using Fortinet's configuration verification tools
- Rotate credentials for:
- Local administrator accounts
- Connected LDAP/AD services
- VPN certificates
- Review logs for SSO authentication attempts from unrecognized locations
CISA Directive
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch systems by January 30, 2026.
"This vulnerability demonstrates why organizations need layered authentication controls," noted CISA Director Jen Easterly. "We recommend all enterprises implement Zero Trust principles to limit the blast radius of credential compromises."
Detection Indicators
Security teams should monitor for:
- New local user accounts (especially admin-level)
- Unexpected firewall configuration changes
- Connections from unrecognized FortiCloud accounts
- Configuration file exports via administrative interfaces
Fortinet provides specific detection guidance in its PSIRT advisory, including log analysis procedures and IOC patterns.
This incident follows a pattern of attackers targeting edge security devices. In 2025, similar vulnerabilities were discovered in Palo Alto Networks GlobalProtect and Cisco ASA appliances. Network security professionals should implement regular firmware updates and configuration audits as part of standard security hygiene.
Featured image shows Fortinet firewall hardware. Credit: Fortinet
Comments
Please log in or register to join the discussion