CVE-2026-24858
📋 TL;DR
This authentication bypass vulnerability allows attackers with a FortiCloud account and registered device to log into other organizations' Fortinet devices when FortiCloud SSO authentication is enabled. It affects multiple Fortinet products across various versions. Organizations using affected Fortinet products with FortiCloud SSO enabled are vulnerable.
💻 Affected Systems
- FortiAnalyzer
- FortiManager
- FortiOS
- FortiProxy
- FortiWeb
📦 What is this software?
Fortianalyzer by Fortinet
Fortianalyzer by Fortinet
Fortianalyzer by Fortinet
Fortianalyzer by Fortinet
Fortimanager by Fortinet
Fortimanager by Fortinet
Fortimanager by Fortinet
Fortimanager by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to critical network security devices, potentially compromising entire organizational networks, exfiltrating sensitive data, and deploying ransomware.
Likely Case
Attackers access network security devices to modify configurations, create backdoors, intercept traffic, or pivot to internal systems.
If Mitigated
With proper network segmentation and monitoring, impact is limited to specific security devices, allowing quick detection and response.
🎯 Exploit Status
Exploitation requires a FortiCloud account and registered device. CISA has added this to its Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiAnalyzer 7.6.6+, 7.4.10+, 7.2.12+, 7.0.16+; FortiManager 7.6.6+, 7.4.10+, 7.2.12+, 7.0.16+; FortiOS 7.6.6+, 7.4.11+, 7.2.13+, 7.0.19+; FortiProxy 7.6.5+, 7.4.13+, 7.2.16+, 7.0.23+; FortiWeb 8.0.4+, 7.6.7+, 7.4.12+
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-060
Restart Required: Yes
Instructions:
1. Download appropriate firmware version from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot device. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable FortiCloud SSO
allTemporarily disable FortiCloud SSO authentication on all affected devices
config system global
set fortisandbox-cloud disable
set fortiguard-anycast disable
end
Restrict Administrative Access
allLimit administrative access to trusted IP addresses only
config system admin
edit admin_user
set trusthost1 192.168.1.0 255.255.255.0
end
🧯 If You Can't Patch
- Disable FortiCloud SSO authentication immediately
- Implement strict network segmentation to isolate Fortinet devices from critical systems
🔍 How to Verify
Check if Vulnerable:
Check if FortiCloud SSO is enabled: 'get system sso-forticloud' and verify device is in affected version rangeCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is patched: 'get system status' and confirm FortiCloud SSO functionality works properly📡 Detection & Monitoring
Log Indicators:
- Unexpected administrative logins from unknown IPs
- SSO authentication failures followed by successful logins
- Configuration changes from unexpected sources
Network Indicators:
- Unusual outbound connections from Fortinet devices
- Authentication requests to FortiCloud from unexpected sources
SIEM Query:
source="fortigate" AND (eventtype="admin_login" OR eventtype="authentication") AND (src_ip NOT IN [trusted_ips])