Fortinet has released security updates to address Fortinet CVE-2026-24858, a critical vulnerability. This vulnerability affects its FortiOS software. The company further clarified to The Record that the vulnerability only affects the FortiCloud Single Sign-On (SSO) feature. It does not impact independent SAML Identity Providers (IdP) or FortiAuthenticator deployments. On Our Radar This vulnerability is an unusually serious threat. In fact, cybercriminals have already used it to obtain SSO logins without any authentication whatsoever.
On January 22, 2026, Fortinet should have acted without delay. Specifically, they locked out two malicious FortiCloud accounts that were used in the exploitation. In light of this, the company temporarily disabled FortiCloud SSO on January 26, 2026. A day after the initial blunder, Fortinet re-enabled the SSO feature but limited logins from devices with vulnerable versions of the software.
Details of the Vulnerability
The vulnerability is categorized as an “Authentication Bypass Using an Alternate Path or Channel” flaw. Threat actors in possession of a FortiCloud account are able to exploit devices registered on FortiCloud. If those devices have FortiCloud SSO authentication enabled, the attackers can sign into additional accounts with ease.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” – Fortinet.
As such, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed CVE-2026-24858 into its Known Exploited Vulnerabilities (KEV) catalog. Specifically, it’s calling on Federal Civilian Executive Branch (FCEB) agencies to act now and remediate within three years, by January 30, 2026. In addition to patching or mitigating affected products, CISA recommends that users scan for indicators of compromise on all internet-exposed Fortinet products that are impacted by this vulnerability.
Recommendations for Users
As mitigations in the absence of a fix, given this fundamental security failure, you should heed the following advice from Fortinet. They should all be taking the basic precautions of keeping their devices up to date with the most current firmware version. Further, users must either roll back configurations to known good states or conduct audits to identify any deviations from accepted configuration directives. Likewise, it’s vital for users to regularly rotate credentials for any LDAP/AD accounts linked to their FortiGate appliances.
“Check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet’s instructions.” – CISA.
With Fortinet’s FortiCloud SSO authentication, it becomes active the moment an administrator onboards the device. They accomplish this through the self-service portal, or graphical user interface (GUI), of FortiCare. Notably, the “Allow administrative login using FortiCloud SSO” switch must be explicitly toggled for the feature to be enabled.
User Action Required
Fortinet puts out the call to act on this serious vulnerability while you still can! Users who are aware or suspect any indicators of compromise should assume their device is already compromised and take action right away. Frequent patching and vulnerability scanning will be key for defending against this new attack vector.
Her example highlights the need across the cybersecurity field for ongoing vigilance and proactive measures as threats grow more sophisticated. All organizations using Fortinet products need to patch this vulnerability as a first order of business and watch their systems for any related activity.