Key Takeaways:
- Fortinet customers are facing another actively exploited zero-day vulnerability (CVE-2026-24858) that allows attackers to bypass authentication in the single sign-on flow for FortiCloud and gain privileged access to multiple Fortinet firewall products and related services.
- The vulnerability has a CVSS rating of 9.8 and has been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.
- Fortinet has yet to release patches to address the critical vulnerability across multiple versions of its products, including FortiAnalyzer, FortiManager, FortiOS, FortiProxy, and FortiWeb.
- The vendor has disabled FortiCloud SSO and re-enabled the service with controls in place to prevent logins to devices running vulnerable software versions.
- Researchers have yet to determine the full extent of the impact, but the scope of potential victims is broad and global, with nearly 10,000 Fortinet instances with FortiCloud SSO enabled.
Introduction to the Vulnerability
The latest vulnerability to affect Fortinet customers is a zero-day exploit that allows attackers to bypass authentication in the single sign-on flow for FortiCloud, gaining privileged access to multiple Fortinet firewall products and related services. This vulnerability, designated as CVE-2026-24858, has a CVSS rating of 9.8, indicating a critical severity level. Fortinet has issued a security advisory warning that some instances of exploitation have already occurred earlier this month, and the vendor has yet to release patches to address the vulnerability across multiple versions of its products.
Impact and Exploitation
The vulnerability allows attackers with a FortiCloud account and a registered device to log into devices registered to other accounts, potentially leading to unauthorized access and control. Fortinet has reported that two malicious FortiCloud accounts were blocked on January 22, and attackers have reconfigured firewall settings on FortiGate devices, created unauthorized accounts, and changed virtual private network configurations to gain access to new accounts. The vendor has disabled FortiCloud SSO and re-enabled the service with controls in place to prevent logins to devices running vulnerable software versions. However, the full extent of the impact is still unknown, and researchers are working to determine the scope of the vulnerability.
Relationship to Previous Vulnerabilities
The latest vulnerability bears similarities to previous critical authentication bypass vulnerabilities, including CVE-2025-59718, which was disclosed by Fortinet in December. Arctic Wolf researchers observed a new cluster of unauthorized firewall configuration changes on FortiGate devices on January 15, which may be related to the new vulnerability. However, Fortinet has not explained the extent to which the defects are related or if the new flaw represents a bypass of the previous patches. The vendor has confirmed that customers running versions released in December are vulnerable to CVE-2026-24858, raising questions about the effectiveness of previous patches.
Global Impact and Mitigation
The scope of potential victims is broad and global, with nearly 10,000 Fortinet instances with FortiCloud SSO enabled, according to Shadowserver scans. Ben Harris, founder and CEO at watchTowr, noted that the company’s exposure management platform is observing active probing for devices with FortiCloud SSO enabled, but the broader impact is still unknown. Researchers at Arctic Wolf have not seen evidence of new exploitation since January 21, adding that attacks appear to be limited to instances where management interfaces of vulnerable devices were publicly exposed to the internet. To mitigate the vulnerability, defenders are advised to follow security best practices, including keeping firmware up to date and limiting the potential impact of the vulnerability and similar flaws in the future.
Criticism and Frustration
The latest vulnerability has sparked criticism and frustration among defenders, with Joe Toomey, vice president of underwriting security at Coalition, criticizing Fortinet’s inability to thwart or reduce the number of actively exploited vulnerabilities affecting its products. Toomey noted that Fortinet’s latest defect marks the 14th time Coalition has sent zero-day advisories about critical Fortinet vulnerabilities to its policyholders in less than four years. Ben Harris commended Fortinet for its transparency, but added that the vendor’s repeated vulnerabilities are becoming a familiar saga, with the company competing with the "Fast & Furious" franchise for the amount of sagas in one year.
Conclusion and Recommendations
In conclusion, the latest Fortinet vulnerability highlights the importance of ongoing vigilance and proactive measures to address software defects and vulnerabilities. Defenders must remain alert and take steps to mitigate the impact of the vulnerability, including following security best practices and keeping firmware up to date. Fortinet customers should closely monitor the vendor’s guidance and take recommended mitigation steps to prevent exploitation. As the cybersecurity landscape continues to evolve, it is essential for vendors and defenders to work together to address vulnerabilities and prevent attacks, rather than simply reacting to them after they have occurred.
