In order to fix a serious vulnerability affecting FortiOS that has been actively exploited in the wild, Fortinet has started releasing security updates. The vulnerability, which has the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been identified as a FortiOS single sign-on (SSO) authentication bypass. FortiManager and FortiAnalyzer are also impacted by the defect.

The company stated that it is still looking into whether the bug affects other products, such as FortiWeb and FortiSwitch Manager. In a Tuesday advisory, Fortinet stated that "if FortiCloud SSO authentication is enabled on those devices, an attacker with a FortiCloud account and a registered device may be able to log into other devices registered to other accounts, due to an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, and FortiAnalyzer."

It is important to note that the default factory settings do not activate the FortiCloud SSO login feature. Unless the administrator has specifically toggled the "Allow administrative login using FortiCloud SSO" switch, it is only enabled when the device is registered to FortiCare via the device's GUI. Days prior, Fortinet verified that unknown threat actors were exploiting a "new attack path" to obtain SSO logins without requiring authentication.

The access was misused to exfiltrate those firewall configurations, create local admin accounts for persistence, and make configuration changes that allowed VPN access to those accounts.

The network security vendor reported that it has taken the following actions during the last week: On January 22, 2026, it locked out two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io). On January 26, 2026, FortiCloud disabled SSO. On January 27, 2026, FortiCloud SSO was reactivated, but the ability to log in from devices running vulnerable versions was disabled.

Put another way, in order for FortiCloud SSO authentication to work, users must update to the most recent software versions.

Additionally, Fortinet advises users to treat their devices as compromised if they see indications of compromise and to take the following steps: Make sure the device is running the most recent firmware version. Check for any unauthorized changes or restore the configuration using a known clean version. Rotate all login credentials, including any LDAP/AD accounts that might be linked to the FortiGate devices.

Due to the development, CVE-2026-24858 has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to address the vulnerabilities by January 30, 2026.