A critical authentication bypass vulnerability in several Fortinet products that is being actively exploited in the wild has prompted a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, known as CVE-2026-24858, enables attackers with a FortiCloud account to take over sessions on devices linked to other accounts when FortiCloud Single Sign-On (SSO) is enabled. The vulnerability was first made public by Fortinet on January 28, 2026, through PSIRT advisory FG-IR-26-060.

Due to its potential for ransomware and lateral movement attacks, CISA has already taken notice of it. The FortiCloud SSO Authentication Bypass Vulnerability CVE-2026-24858, which is mapped to CWE-288 (Authentication Bypass Using an Alternate Path or Channel), is caused by incorrect authentication handling in an alternate path or channel.

Attackers take advantage of this by using a FortiCloud account linked to a registered device that has been compromised or taken over. Then, by avoiding standard credentials, they can use SSO to authenticate to unrelated FortiAnalyzer, FortiManager, FortiOS, or FortiProxy instances. Description of the CVE ID Products Affected by CVSS v3.1 Score Severity Patch Status CVE-2026-24858 FortiCloud SSO 9.1 (Critical) High FortiAnalyzer, FortiManager, FortiOS, and FortiProxy Patched CVSS breakdown: Attack Vector (Network), Attack Complexity (Low), Privileges Required (Low), User Interaction (None), Scope (Unchanged), Confidentiality/Integrity/Availability (High).

Fortinet reports targeted abuse in SSO workflows, but there are currently no public exploits. A real-world incident where threat actors looked for exposed FortiCloud SSO endpoints is described in Fortinet's PSIRT blog.

After registering low-privilege devices to their accounts, the attackers switched to high-value targets, such as enterprise FortiGate firewalls running FortiOS. Learn more Modules for hardware security Services for penetration testing Reaction to an incident Planning manuals Malware for security awareness training Software that prevents cyberattacks Malware elimination service Safe web hosting Courses for cybersecurity training Apps for secure messaging In order to prepare for the deployment of ransomware, this permits initial access, privilege escalation, and persistence. Although it hasn't been verified in significant campaigns, its low barrier is consistent with strategies used by organizations like LockBit or ALPHV/BlackCat.

On January 29, 2026, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and requested that federal agencies patch it within BOD 22-01 timelines. Exposure in the private sector is still high: Shadowserver scans reveal that FortiCloud SSO is used by more than 500,000 Fortinet devices globally.

The vulnerability takes advantage of SSO token validation flaws. After gaining legitimate access to their device, an attacker obtains a session token, which they then replay against victim devices that share the FortiCloud tenant. Although there is no direct code execution, config dumps, VPN pivots, and malware staging are possible with admin access.

Users of FortiProxy are more vulnerable in zero-trust configurations. Reductions Fortinet demands updates right away: Vulnerable Versions of the Product Versions that are fixed FortiAnalyzer 7.4.0-7.4.3 7.4.4+ FortiManager 7.6.0-7.6.2 7.6.3+ FortiOS 7.4.0-7.4.5 7.4.6+ FortiProxy 7.4.0-7.4.4 7.4.5+ Enforce MFA on FortiCloud accounts, and keep an eye out for unusual logins in FortiAnalyzer. Decommission vulnerable setups or adhere to CISA's BOD 22-01 for cloud services. For updates, organizations should check FortiGuard and NVD.

SSO misconfigurations in hybrid cloud environments are highlighted by this vulnerability.

In order to prevent evolving threats, prompt patching is crucial. Learn more Security of computers Services for cloud security Cybersecurity abuse Malware in cybersecurity training courses Subscription cybersecurity news Services for penetration testing X for daily cybersecurity updates, LinkedIn, and security vulnerability reports. To have your stories featured, get in touch with us.