Fortinet faces another critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.4) that circumvents their December SSO patch, leaving customers scrambling for fixes while attackers exploit alternate attack paths.
Fortinet's security woes continue to mount as the company disclosed a new critical vulnerability (CVE-2026-24858, CVSS score 9.4) that bypasses their December patch for FortiCloud SSO authentication issues. The discovery comes as a significant blow to administrators who believed they had addressed the security concerns following last month's emergency updates.
The Patch That Wasn't
The latest vulnerability represents an alternate attack path that security researchers and attackers discovered after Fortinet's December patches (CVE-2025-59718 and CVE-2025-59719) were deployed. Despite customers applying the recommended updates, reports of successful compromises began surfacing, forcing Fortinet to acknowledge that their initial fix only addressed one specific attack vector while leaving another viable path open.
According to Fortinet's security advisory, the authentication bypass vulnerability affects multiple product lines including FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. The company has taken the precautionary step of disabling FortiCloud SSO connections from vulnerable versions while patches remain under development.
Attack Details and Scope
Fortinet confirmed that CVE-2026-24858 was actively exploited in the wild by two malicious FortiCloud accounts, which were blocked as of January 22. The attacks appear to have been sophisticated enough to bypass the December patch, exploiting what security researchers call an "alternate path or channel" vulnerability.
The vulnerability allows attackers with a FortiCloud account and a registered device to potentially log into other devices registered to different accounts, provided FortiCloud SSO authentication is enabled. This creates a particularly concerning scenario where compromised credentials could grant access across an organization's entire Fortinet infrastructure.
Product Impact and Available Fixes
While some Fortinet products have safe releases available, patches are still being developed for most affected versions. FortiWeb and FortiSwitch Manager are currently under investigation to determine their exposure to these security flaws.
Customers are advised to upgrade to versions recommended in the security advisory to restore FortiCloud SSO services. However, the staggered availability of patches means many organizations will need to operate with disabled SSO functionality while waiting for comprehensive fixes.
The December Attack Timeline
The original attacks were first detected by Arctic Wolf around January 15, involving the December vulnerabilities that allowed attackers to bypass SSO checks using specially crafted SAML responses. These attacks appeared to target FortiGate firewalls specifically, using CVE-2025-59718 to compromise systems.
Fortinet initially believed their December patch had resolved the issue, but by January 22, the company was forced to admit that attackers had found an alternate exploitation path. This admission came after multiple reports of successful compromises despite organizations following the recommended patching procedures.
Security Implications
Carl Windsor, CISO at Fortinet, warned that although the observed attacks only targeted FortiCloud SSO, all SAML-based SSO implementations were potentially vulnerable. This broad warning suggests that the underlying issue may extend beyond Fortinet's specific implementation to affect other vendors using similar authentication mechanisms.
The vulnerability's CVSS score of 9.4 places it in the critical category, indicating severe potential impact on confidentiality, integrity, and availability. The authentication bypass nature of the flaw means that once exploited, attackers could potentially gain administrative access to affected systems without needing to authenticate through normal channels.
Administrative Challenges
For IT administrators, this situation creates a complex remediation challenge. Organizations that believed they had addressed the security issue must now implement additional patches while potentially dealing with the operational impact of disabled SSO services.
The advisory notes that FortiCloud SSO is not enabled by default in factory settings, but becomes active when administrators register devices to FortiCare through the device's GUI unless they specifically disable the "Allow administrative login using FortiCloud SSO" toggle switch. This means that many organizations may have inadvertently enabled the vulnerable feature during routine device registration.
Industry Context
This incident highlights the ongoing challenges in the cybersecurity industry, where patching one vulnerability often reveals or creates opportunities for exploitation through alternate paths. The rapid discovery of CVE-2026-24858 following the December patches demonstrates how sophisticated attackers can quickly adapt to defensive measures.
For Fortinet, this represents another significant security challenge following a series of critical vulnerabilities disclosed in recent months. The company has faced increased scrutiny over its security practices and response times, making this latest incident particularly damaging to its reputation in the enterprise security market.
Moving Forward
Organizations using affected Fortinet products should immediately review their FortiCloud SSO configurations and apply available patches as they become available. Those unable to patch immediately may need to consider alternative authentication methods or temporarily disable SSO functionality to mitigate risk.
The incident serves as a reminder of the importance of comprehensive security monitoring and the need for organizations to maintain defensive depth beyond relying solely on vendor patches. As attackers continue to develop sophisticated techniques for bypassing security controls, organizations must remain vigilant and prepared to respond to emerging threats even after implementing recommended security updates.
For Fortinet, the challenge will be not only addressing the immediate technical issues but also rebuilding trust with customers who have experienced multiple security incidents in a short timeframe. The company's ability to deliver comprehensive, timely fixes while maintaining transparent communication will be crucial in managing the fallout from this latest vulnerability disclosure.
Comments
Please log in or register to join the discussion