Fortinet has started rolling out security updates to address a critical security vulnerability in FortiOS that has been observed under active exploitation. The issue has raised serious concerns across enterprise and government environments that rely on Fortinet products for perimeter and network defense, particularly where cloud based single sign on functionality is enabled.
The vulnerability, tracked as CVE 2026 24858 and assigned a CVSS severity score of 9.4, has been identified as an authentication bypass flaw linked to FortiOS single sign on using FortiCloud. According to Fortinet, the weakness also impacts FortiManager and FortiAnalyzer, while investigations are ongoing to determine whether additional products such as FortiWeb and FortiSwitch Manager are affected. The flaw allows an attacker with access to a FortiCloud account and a registered device to gain administrative access to other Fortinet devices that are registered under separate accounts, provided FortiCloud SSO authentication is enabled on those systems. Fortinet explained that this behavior stems from an alternate authentication path that can be abused to bypass normal identity verification controls.
While FortiCloud SSO is not enabled by default in factory configurations, it becomes active in certain administrative workflows. Specifically, the feature is turned on when an administrator registers a device to FortiCare through the graphical user interface, unless the option to allow administrative login using FortiCloud SSO is manually disabled. This configuration nuance has increased the exposure risk for organizations that rely on cloud based identity features without closely reviewing default registration behavior. Fortinet disclosed that the issue came to light after threat actors were found exploiting a previously unknown attack path that allowed them to log in through SSO without providing valid authentication. Once inside, attackers were able to create local administrator accounts to maintain persistence, modify configurations to grant VPN access, and exfiltrate firewall configuration data, significantly increasing the potential impact of the compromise.
In response to the activity, Fortinet took several containment measures over the past week. The company confirmed that two malicious FortiCloud accounts were locked out on January 22, 2026, followed by a temporary disablement of FortiCloud SSO services on January 26, 2026. The service was restored a day later with additional safeguards that prevent devices running vulnerable software versions from using FortiCloud SSO authentication. As a result, customers must upgrade to the latest firmware releases in order to continue using SSO functionality. Fortinet has strongly advised organizations that observe any indicators of compromise to treat affected devices as breached. Recommended actions include updating to the latest firmware, restoring configurations from known clean backups or auditing for unauthorized changes, and rotating all credentials associated with the devices, including linked directory service accounts. The severity of the situation has also prompted the U.S. Cybersecurity and Infrastructure Security Agency to add CVE 2026 24858 to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to remediate the issue by January 30, 2026.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
