A critical authentication bypass vulnerability, CVE-2026-24858, impacts multiple Fortinet products via flawed FortiCloud SSO controls. Fortinet confirmed active exploitation by malicious accounts before patches rolled out this week.
Vulnerability Overview
CVE-2026-24858 carries a CVSS 3.1 score of 9.8 (Critical), enabling network-based attackers to bypass admin authentication without privileges or interaction.Fortinet’s FG-IR-26-060 advisory, published January 27, 2026, notes two attacker-controlled FortiCloud accounts exploited it in the wild until blocked on January 22.
Affected Products and Versions
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| FortiAnalyzer | 7.6.0–7.6.5, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.15[page:2] | 7.6.6+, 7.4.10+, 7.2.12+, 7.0.16+[page:2] |
| FortiManager | 7.6.0–7.6.5, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.15[page:2] | 7.6.6+, 7.4.10+, 7.2.13+, 7.0.16+[page:2] |
| FortiOS | 7.6.0–7.6.5, 7.4.0–7.4.10, 7.2.0–7.2.12, 7.0.0–7.0.18[page:2] | 7.6.6+, 7.4.11+, 7.2.13+, 7.0.19+[page:2] |
| FortiProxy | 7.6.0–7.6.4, 7.4.0–7.4.12; all 7.2.x, 7.0.x[page:2] | 7.6.6+, 7.4.13+; migrate from 7.2/7.0[page:2] |
FortiOS 6.4 and earlier branches remain unaffected; FortiWeb and FortiSwitch Manager are under review.
Exploitation and Mitigation Timeline
- Pre-Jan 22, 2026: Attackers leverage zero-day via rogue FortiCloud SSO.
- Jan 22: Fortinet locks malicious accounts and blocks vulnerable logins.
- Jan 27: FG-IR-26-060 published; patches begin deploying.
- Now: CISA KEV entry expected soon; no public PoC exists.
Immediate Actions:
- Disable FortiCloud SSO where possible.
- Patch to fixed releases urgently.
- Audit logs for anomalous FortiCloud auth attempts.
Patch Priority for KEV Watchers
As a CISA KEV candidate post-exploitation, prioritize FortiOS/FortiManager in critical environments—over 30% of exposed Fortinet assets run vulnerable 7.x branches per prior trends. Track via NVD and FortiGuard PSIRT for branch-specific guidance.
