Fortinet has started rolling out security updates for a critical zero-day vulnerability affecting its FortiOS platform and associated products, after multiple organizations reported real-world attacks that bypass authentication and grant unauthorized administrative access.

What Was Happening

Reports from customers in late January confirmed that attackers were able to access FortiGate firewalls despite the devices running the most recent firmware. The attackers used the FortiCloud Single Sign-On (SSO) authentication feature to gain entry and even created unauthorized local admin accounts.

Initially, these incidents were believed to be linked to previously patched issues (CVE-2025-59718/CVE-2025-59719), but Fortinet has since confirmed that a separate new vulnerability was being exploited instead.

The New Vulnerability: CVE-2026-24858

The issue has been officially designated as CVE-2026-24858, a critical authentication bypass vulnerability in FortiCloud SSO. This flaw allows an attacker with a valid FortiCloud account and a registered device to authenticate to other devices registered to different customers if FortiCloud SSO is enabled.

Security researchers have observed the flaw being actively targeted in the wild, with malicious FortiCloud accounts identified and blocked during the attack activity.

Affected Products

CVE-2026-24858 impacts multiple Fortinet products when FortiCloud SSO is enabled, including:

• FortiOS (various versions across 7.x branches)
• FortiManager
• FortiAnalyzer
• FortiProxy

(Investigations continue into potential impact on FortiWeb and FortiSwitch Manager)

Importantly, FortiCloud SSO is not enabled by default, but many environments enable it during initial setup or device registration — increasing the number of systems at risk.

Vendor Response & Mitigation

Fortinet has begun releasing patched versions to address CVE-2026-24858 across its product line. Additionally:

• Fortinet disabled FortiCloud Single Sign-On on the cloud side temporarily to halt ongoing exploitation.
• SSO access was later restored only for devices running patched firmware.
• Customers must update devices to the latest versions to continue using FortiCloud SSO securely.

What Administrators Should Do

If your organization uses Fortinet products with FortiCloud SSO enabled:

1. Update immediately to the latest patched firmware for FortiOS, FortiManager, FortiAnalyzer, and related platforms.
2. Confirm that FortiCloud SSO is functioning only after applying patches.
3. Restrict administrative access to trusted IP addresses and internal networks.
4. Review logs for signs of compromise, including suspicious admin accounts or unexpected configuration changes.

Why This Matters

This vulnerability represents a serious risk for enterprise networks and security perimeters. Attackers who gain administrative access can alter firewall policies, create unauthorized VPN accounts, and potentially expose sensitive network configuration data — all without needing legitimate credentials on the targeted device.

As with other critical flaws added to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog, patching and mitigation should be treated as a priority for any organization using Fortinet infrastructure.

Stay Protected

Zero-day vulnerabilities like CVE-2026-24858 remind us that even the most recent firmware can contain critical security flaws. Regular patching, network segmentation, and monitoring remain essential defensive measures.

Organizations should establish procedures for rapid security updates and consider whether cloud-based authentication features provide sufficient security benefits to justify their potential attack surface.

Read the full article: https://luckyy.uk/fortinet-patches-actively-exploited-forticloud-sso-zero-day-urgent-update-required/