CVE-2026-24858: Patch Released for Fortinet FortiOS SSO Authentication Bypass

A recent authentication bypass vulnerability affecting Fortinet products has drawn significant attention from security teams after confirmation of active exploitation in real-world environments. Tracked as CVE-2026-24858, the issue impacts FortiOS and related management platforms when FortiCloud Single Sign-On (SSO) is enabled, allowing attackers to gain administrative access under specific conditions.

The flaw does not stem from default configurations, but from how FortiCloud SSO can be enabled during device registration. Fortinet has released security updates and taken cloud-side mitigation steps, while government agencies have issued remediation deadlines.

This blog explains what CVE-2026-24858 is, which products are affected, how the attacks worked, what indicators defenders should look for, and what actions organizations should take next.

What Is CVE-2026-24858?

CVE-2026-24858 is classified as an authentication bypass using an alternate path or channel (CWE-288) and carries a CVSS score of 9.4, reflecting its potential impact. The vulnerability allows an attacker who controls a FortiCloud account and a registered device to authenticate to other customers’ devices, as long as FortiCloud SSO is enabled on those systems.

This bypass breaks the expected trust boundaries between FortiCloud accounts and managed devices. Once access is obtained, attackers can log in with administrative privileges, bypassing standard authentication checks. Because FortiGate and related platforms often sit at the edge of enterprise networks, unauthorized admin access can expose sensitive configurations and create long-term security risks.

Which Fortinet Products and Versions Are Affected?

The vulnerability affects multiple Fortinet platforms that rely on FortiCloud SSO for administrative login. Confirmed impacted products include:

• FortiOS
• FortiManager
• FortiAnalyzer
• FortiProxy

Specific affected versions vary by product branch, with fixed releases already available or scheduled for release. Fortinet has also stated that FortiWeb and FortiSwitch Manager remain under investigation, meaning their exposure has not been fully ruled out.

Importantly, FortiCloud SSO is not enabled by default in factory settings. It can become active when administrators register a device to FortiCare through the GUI without disabling the option that allows administrative login via FortiCloud SSO.

How Was the Vulnerability Exploited in Real Attacks?

Fortinet confirmed that threat actors abused a previously unknown attack path to log in via FortiCloud SSO without valid authentication. The activity was traced to two malicious FortiCloud accounts that were later disabled.

Once logged in, attackers were observed performing several post-compromise actions:

• Downloading device configuration files
• Creating new local administrator accounts for persistence
• Modifying settings to enable VPN access
• Preparing for continued access even if SSO was later disabled

This behavior indicates an intent to maintain control over affected devices rather than conduct one-time opportunistic access.

Fortinet’s CVE-2026-24858 Listed in CISA’s Known Exploited Vulnerabilities Catalog

Due to confirmed exploitation, U.S. cybersecurity authorities added CVE-2026-24858 to the Known Exploited Vulnerabilities (KEV) catalog. This designation requires Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by January 30, 2026, reinforcing both the severity of the issue and the urgency of applying fixes.

What Immediate Mitigation and Remediation Steps Are Recommended?

Fortinet has taken several platform-level actions, including temporarily disabling FortiCloud SSO and later restoring it with restrictions that block vulnerable versions. As a result, FortiCloud SSO will only function on devices running fixed firmware.

For organizations, the recommended steps include:

1. Upgrade immediately to the latest fixed software versions listed by Fortinet.
2. Audit administrator accounts and remove any unauthorized or suspicious entries.
3. Review configurations for unexpected changes, especially VPN and remote access settings.
4. Rotate credentials, including LDAP or Active Directory accounts connected to the devices.
5. Treat affected systems as compromised if any indicators are confirmed.

How SOCRadar Can Support Faster Detection and Response

Managing vulnerabilities that are already being exploited requires more than patching alone. Security teams also need visibility into emerging threats, active exploitation trends, and early warning signals that may indicate exposure.

SOCRadar helps organizations address these challenges by continuously monitoring for newly disclosed vulnerabilities, exploitation activity, and related threat intelligence. Through its Cyber Threat Intelligence and Attack Surface Management capabilities, SOCRadar enables teams to:

• Track high-risk CVEs, including those added to CISA’s KEV catalog
• Identify exposed or misconfigured assets that could be targeted by authentication bypass flaws
• Correlate vulnerability data with real-world exploitation signals and attacker activity
• Prioritize remediation efforts based on threat context rather than severity scores alone

What Indicators of Compromise Should Defenders Look For?

Organizations running affected Fortinet products should review logs and configurations for signs of unauthorized access. Based on Fortinet’s investigations, several concrete indicators of compromise (IOCs) have been publicly documented and should be explicitly checked.

Known Malicious FortiCloud Accounts

The following FortiCloud SSO accounts were observed being used during exploitation attempts:

• [email protected]
• [email protected]

Fortinet has taken action to disable these accounts, but administrators should still review historical logs for any activity associated with them.

IP Addresses Observed During Exploitation

Attackers were seen authenticating from multiple IP addresses, including infrastructure fronted by Cloudflare. Known IP addresses include:

• 104.28.244[.]115
• 104.28.212[.]114
• 104.28.212[.]115
• 104.28.195[.]105
• 104.28.195[.]106
• 104.28.227[.]105
• 104.28.227[.]106
• 104.28.244[.]114
• 37.1.209[.]19
• 217.119.139[.]50

Because some activity originated from shared or protected infrastructure, IP-based blocking alone should not be considered sufficient.

Suspicious Local Administrator Accounts

Following successful SSO authentication, attackers commonly created local administrator accounts to maintain persistence. Administrators should review all local admin users for unexpected entries, especially accounts with names such as:

• audit
• backup
• backupadmin
• deploy
• itadmin
• remoteadmin
• secadmin
• security
• support
• svcadmin
• system

Log Artifacts to Review

Indicators may also appear in system logs showing successful administrative logins via SSO, followed shortly by configuration changes or new admin account creation. Any sequence of SSO login events paired with rapid privilege changes should be treated as suspicious.

Fortinet has also reported attacker activity originating from multiple IP addresses, including infrastructure protected by Cloudflare, making simple IP blocking insufficient on its own.

Additional Update: Microsoft Office Zero-Day CVE-2026-21509

Microsoft has also disclosed and patched a separate Microsoft Office zero-day vulnerability, tracked as CVE-2026-21509 (CVSS 7.8), and confirmed it was being actively exploited at the time of disclosure.

The flaw is caused by reliance on untrusted input during a security decision, allowing a local attacker to bypass built-in Office security features. In particular, it enables bypass of OLE (Object Linking and Embedding) mitigations designed to protect users from malicious COM/OLE controls in Microsoft 365 and Microsoft Office.

Exploitation requires user interaction, with attackers needing to convince targets to open a malicious Office file. Due to the exploit’s complexity and reliance on social engineering, Microsoft has not indicated widespread activity, suggesting use in more targeted operations.

Microsoft has released patches for all affected Office versions, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Additional mitigations, such as Protected View and Microsoft Defender detections, can help reduce risk where immediate patching is not possible.

CISA has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, setting a remediation deadline of February 16, 2026 for U.S. federal agencies, reinforcing the need to prioritize patching and user awareness controls.