Fortinet has started publishing patches to correct critical vulnerability in FortiOS that is already being exploited in real environments. Identified as CVE-2026-24858 and with a high CVSS score (9.4), it is a bypass-type authentication failure related to FortiCloud's single login mechanism (SSO), which also affects FortiManager and FortiAnalyzer and could affect other research products.
In simple terms, vulnerability allows an attacker with a FortiCloud account and a registered device to use alternative access to log in on devices that belong to other accounts when the FortiCloud SSO function is activated. This vector has been used by malicious actors to obtain administrative control: they have created local administrator accounts, modified configurations to grant VPN access to those accounts and have removed firewall configurations to maintain presence and pivote on affected networks. Fortinet describes this abuse in more detail in his technical analysis posted on his PSIRT blog.
It is important to clarify that the FortiCloud SSO function is not activated in the factory configuration. It only comes into operation in scenarios where an administrator records the device in FortiCare from the graphical interface and explicitly activates the option of allowing administrative login through FortiCloud SSO. This reduces the potential scope, but does not eliminate the risk: if the functionality has been enabled in any installation, that installation can be susceptible.
In the face of the discovery of the exploitation, Fortinet took several measures in the cloud to mitigate the attack. Among the actions that the company has reported are the blocking of FortiCloud accounts used by the attackers and the temporary deactivation of FortiCloud SSO at cloud service level, followed by a partial reactivation with restrictions that prevent login from devices that have not been updated. Details and versions affected and corrected are found in FortiGuard's official security notice FG-IR-26-060.
The speed and severity of the problem have led to the US Infrastructure and Cybersecurity Agency. US (CISA) include this vulnerability in its catalogue of known exploited vulnerabilities ( KEV), forcing federal agencies to remedy it expeditiously. The official notice of CISA explaining the inclusion in the catalogue is available Here..
If you manage Fortinet devices, the recommendation is to address risk urgently. The essential minimum is to update the equipment to the firmware versions that correct the failure, but it is also necessary to audit the configurations and records in search of new administrative accounts or unauthorized changes: the presence of newly created local users, policy rules with unexpected modifications or VPN entries giving wide access are signs of commitment. Fortinet advises restoring from a known and clean configuration copy if anomalies are detected and changing relevant credentials, including those used against LDAP or Active Directory directories connected to FortiGate.
Beyond the patch, there are operational measures that help reduce immediate exposure, such as disable FortiCloud SSO if not strictly necessary, review which devices are registered in FortiCloud and check the traceability of accounts with administrative permits. Fortinet's guides and technical notes on how to identify commitment indicators and recommended steps are available in their official communications PSIRT and in the above-mentioned SSO abuse analysis.
To follow the consolidated technical information on vulnerability, you can see the entry into the CVE repository and the NIST base, where there are metric summary and public references: CVE-2026-24858 and NVD: CVE-2026-24858.
The lesson for managers and security officials is clear: the combination of remote management functions and SSO adds convenience, but it also increases the attack vector if it is not strictly controlled who and how devices are recorded in cloud services. The prudence and speed in applying updates and auditing configurations are the best defense in the case of holdings already occurring on the ground.
If you think any of your Fortinet devices could be compromised, treat the affected infrastructure as if it had already been violated, notify the response teams and, if appropriate, consult incident specialists to contain and clean the platform following official recommendations. Keep the communications of Fortinet and the safety agencies under surveillance to apply any additional indication or additional patch that appears.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...