Fortinet Fixes Actively Exploited FortiOS SSO Auth Bypass

by | Jan 29, 2026 | News

Fortinet Fixes Actively Exploited FortiOS SSO Auth Bypass

Post Views: 52




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Fortinet has begun rolling out security updates to address a critical authentication bypass vulnerability in FortiOS that is actively exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability Overview

  • CVE: CVE-2026-24858
  • Severity: CVSS 9.4 (Critical)
  • Weakness: Authentication Bypass via Alternate Path (CWE-288)
  • Affected Products:
    • FortiOS
    • FortiManager
    • FortiAnalyzer
    • FortiProxy
    • FortiWeb
    • (FortiSwitch Manager still under investigation)

What’s the Issue?

If FortiCloud Single Sign-On (SSO) is enabled, an attacker with a FortiCloud account and a registered device could log into devices registered to other customers, bypassing authentication entirely.

Fortinet confirmed attackers abused this access to:

  • Create local admin accounts for persistence
  • Modify configurations to grant VPN access
  • Exfiltrate firewall configurations

Important: FortiCloud SSO is not enabled by default, but may be turned on when devices are registered to FortiCare via the GUI unless explicitly disabled.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses



Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Fortinet’s Response Timeline

  • Jan 22, 2026: Two malicious FortiCloud accounts locked
  • Jan 26, 2026: FortiCloud SSO disabled globally
  • Jan 27, 2026: SSO re-enabled only for patched devices (login blocked on vulnerable versions)

As a result, FortiCloud SSO will not function until devices are upgraded.

CISA Action

CISA has added CVE-2026-24858 to the KEV catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate by January 30, 2026.

CISA further clarified that exploitation may impact FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb when FortiCloud SSO is enabled.

What You Should Do Now

If you run affected Fortinet products:

  1. Upgrade immediately to the latest firmware versions
  2. Audit configurations and restore from a known-good backup if compromise is suspected
  3. Rotate credentials, including any linked LDAP/AD accounts
  4. Hunt for IoCs on all internet-exposed Fortinet devices
  5. Confirm whether FortiCloud SSO is enabled and restrict it where unnecessary

Note: The issue only affects FortiCloud SSOthird-party SAML IdPs and FortiAuthenticator are not impacted.

Trending: Cyber Kill Chain’s phases: Understanding the cycle of a cyber attack




Trending: Offensive Security Tool: APKScope

Why This Matters

This is a cross-tenant authentication bypass affecting perimeter security devices. Successful exploitation grants administrative access without credentials, making it a high-impact, low-complexity attack path—especially dangerous for exposed firewalls.

Trending: Node.js Fixes Critical DoS Flaw That Could Crash “Virtually Every Production App”

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Sources: thehackernews.com, cisa.gov/news-events/alerts/2026/01/27/cisa-adds-one-known-exploited-vulnerability-catalog

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This