Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected - The Hacker News

Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected Ravie LakshmananJan 28, 2026Network Security / Zero-Day Fortinet has begun releasing security updates to address a critical flaw impacting FortiOS that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been described as an authentication bypass related to FortiOS single sign-on (SSO). The flaw also affects FortiManager and FortiAnalyzer. The company said it's continuing to investigate if other products, including FortiWeb and FortiSwitch Manager, are impacted by the flaw. "An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices," Fortinet said in an advisory released Tuesday. It's worth noting that the FortiCloud SSO login feature is not enabled in the default factory settings. It's only turned on in scenarios where an administrator registers the device to FortiCare from the device's GUI, unless they have taken steps to explicitly toggle the "Allow administrative login using FortiCloud SSO" switch. The development comes days after Fortinet confirmed that unidentified threat actors were abusing a "new attack path" to achieve SSO logins without requiring any authentication. The access was abused to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate those firewall configurations. Over the past week, the network security vendor said it has taken the following steps - Locked out two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) on January 22, 2026 Disabled FortiCloud SSO on the FortiCloud side on January 26, 2026 Re-enabled FortiCloud SSO on January 27, 2026, while disabling the option to login from devices running vulnerable versions In other words, customers are required to upgrade to the latest versions of the software for the FortiCloud SSO authentication to function. Fortinet is also urging users who detect signs of compromise to treat their devices as breached and recommends the following actions - Ensure the device is running the latest firmware version Restore configuration with a known clean version or audit for any unauthorized changes Rotate credentials, including any LDAP/AD accounts that may be connected to the FortiGate devices The development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to remediate the issues by January 30, 2026. Update On January 28, 2026, CISA issued additional guidance for CVE-2026-24858, noting that it allows "malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign-on (SSO) is enabled on devices." Customers of FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb are all affected and should upgrade to the latest version to restore FortiCloud SSO services. Fortinet is still investigating FortiSwitch Manager for its exposure to the security flaw. The company has since confirmed that the issue only impacts FortiCloud SSO and does not affect third-party SAML IdP or FortiAuthenticator implementations. The agency is also urging users to "check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet's instructions." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, FortiCloud, Fortinet, FortiOS, network security, Vulnerability, zero-day Trending News Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps