cisa.gov
Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.1
Users are vulnerable to CVE-2026--2025--2025-59719 [CWE-347: Improper Verification of Cryptographic Signature].2 CVE-2025--2025-, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.3 On Fortinet devices that had been fully upgraded to the latest release addressing CVE-2025--2025--2026-, Fortinet observed the following malicious activity:
Unauthorized firewall configuration changes on FortiGate devices.
Unauthorized creation of accounts.
Unauthorized configuration changes of virtual private networks (VPNs) to grant access to new accounts.4
According to Fortinet, on Jan. 26, 2026, Fortinet disabled all FortiCloud SSO authentication to mitigate CVE-2026-24858, then reinstated the service on Jan. 27, 2026, with changes to prevent exploitation of vulnerable devices.
CISA added CVE-2026-(KEV) Catalog on Jan. 27, 2026.
CISA urges users to check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet’s instructions:
Administrative FortiCloud SSO authentication bypass
Analysis of Single Sign-On Abuse on FortiOS
Disclaimer
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
Notes
Fortinet, “Administrative FortiCloud SSO Authentication Bypass,” FortiGuard Labs, last modified January 27, 2026, https://fortiguard.fortinet.com/psirt/FG-IR-26-060.
Fortinet, “Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass,” FortiGuard Labs, last modified December 9, 2025, https://fortiguard.fortinet.com/psirt/FG-IR-25-647.
Carl Windsor, “Analysis of Single Sign-On Abuse on FortiOS,” PSIRT Blogs (blog), Fortinet, last modified January 22, 2026, https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios.
Arctic Wolf Labs, “Arctic Wolf Observes Malicious Configuration Changes on Fortinet FortiGate Devices via SSO Accounts,” Arctic Wolf Blog (blog), Arctic Wolf, last modified January 21, 2026, https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/.