Critical Fortinet Vulnerability in FortiCloud SSO Authentication Bypass
Summary : A critical authentication bypass vulnerability has been identified in multiple Fortinet products leveraging FortiCloud Single Sign-On (SSO). Fortinet has disclosed a Critical authentication bypass vulnerability impacting FortiOS, FortiManager, FortiAnalyzer and FortiProxy
CISA has added CVE-2026-24858 to the Known Exploited Vulnerabilities (KEV) catalog on 27 Jan 2026 with a remediation due date of 30 Jan 2026.
| OEM | Fortinet |
| Severity | Critical |
| CVSS Score | 9.4 |
| CVEs | CVE-2026-24858 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This flaw allows an attacker with a valid FortiCloud account and a registered device to authenticate into other accounts where FortiCloud SSO is enabled. Fortinet has confirmed active exploitation in the wild. Administrators are urged to upgrade to the latest version of the affected products.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Authentication Bypass via Crafted Requests | CVE-2026-24858 | FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb | Critical | Check the recommendation section table below |
Technical Summary
The vulnerability is caused by insufficient validation of FortiCloud account-device binding in the SAML SSO authentication handler (GUI component), enabling CWE-288 alternate path bypass.
Specifically, the system fails to enforce principal-device registration isolation during SSO token processing, allowing any authenticated FortiCloud user with a registered device to impersonate admins on unrelated targets if the toggle “Allow administrative login using FortiCloud SSO” is enabled post-FortiCare GUI registration.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-24858 | Check the recommendation section table below | Authentication Bypass Using Alternate Path (CWE-288) in FortiCloud SSO SAML handler | Device takeover, Network compromise, Persistent access |
Remediation:
Upgrade immediately to the fortunate products in the latest version
| Product | Affected Versions | Fixed Version |
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | 7.0.16 or above |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | 7.2.12 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | 7.0.16 or above |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | 7.0.19 or above |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | 7.6.6 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | 7.4.13 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.15 | 7.2.16 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.22 | 7.0.23 or above |
| FortiWeb 8.0 | 8.0.0 through 8.0.3 | 8.0.4 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.6 | 7.6.7 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.11 | 7.4.12 or above |
IOCs:
Here is the table below
| Type | IOC Details |
| SSO Login Accounts | cloud-noc@mail.io, cloud-init@mail.io, heltaylor.12@tutamail.com, support@openmail.pro |
| IP Addresses | 104.28.244.115, 104.28.212.114, 104.28.212.115, 104.28.195.105, 104.28.195.106, 104.28.227.106, 104.28.227.105, 104.28.244.114, 163.61.198.15, 104.28.244.116, 38.54.6.28, 37.1.209.19, 217.119.139.50 (Cloudflare and 3rd party) |
| Malicious Local Accounts | audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, system, adccount |
| Attacker TTPs | Config file download, Local admin creation for persistence |
Source: www.fortiguard.com
Conclusion:
This vulnerability in FortiCloud SSO convenience into a critical admin takeover vector, actively exploited across Fortinet’s core infrastructure.
Server-side blocks provide interim protection, but immediate upgrades are mandatory to restore functionality and eliminate persistence risks. Prioritize audit of IOCs, disable unnecessary SSO exposure, and enforce MFA to secure enterprise networks against this widespread threat.
References:
Recent Comments