"Fortinet has begun releasing security updates to address a critical flaw impacting FortiOS that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been described as an authentication bypass related to FortiOS single sign-on (SSO). The flaw also affects FortiManager and FortiAnalyzer. The company said it's continuing to investigate if other products, including FortiWeb and FortiSwitch Manager, are impacted by the flaw."
""An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices," Fortinet said in an advisory released Tuesday. It's worth noting that the FortiCloud SSO login feature is not enabled in the default factory settings."
"The development comes days after Fortinet confirmed that unidentified threat actors were abusing a "new attack path" to achieve SSO logins without requiring any authentication. The access was abused to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate those firewall configurations. Over the past week, the network security vendor said it has taken the following steps - Locked out two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) on January 22, 2026"
Fortinet has released security updates to address a critical FortiOS authentication bypass, CVE-2026-24858, actively exploited in the wild. The vulnerability impacts FortiOS and affects FortiManager and FortiAnalyzer, with investigations ongoing for FortiWeb and FortiSwitch Manager. The flaw allows an attacker with a FortiCloud account and a registered device to log into other devices if FortiCloud SSO is enabled. FortiCloud SSO is not enabled by default and must be turned on via FortiCare registration or an explicit GUI toggle. Threat actors exploited a new attack path to obtain SSO logins without authentication, create local admin accounts, alter VPN-access configurations, and exfiltrate firewall configurations. Fortinet locked malicious FortiCloud accounts, temporarily disabled FortiCloud SSO, then re-enabled it while blocking logins from vulnerable devices.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]