Fortinet has disclosed a critical authentication bypass vulnerability impacting FortiOS that is being actively exploited in the wild, prompting the company to release emergency security updates and temporarily disable FortiCloud single sign-on (SSO) to protect customers.
The vulnerability, tracked as CVE-2026-24858 and assigned a CVSS score of 9.4, affects FortiOS as well as FortiManager and FortiAnalyzer. Fortinet said it is continuing to investigate whether additional products, including FortiWeb and FortiSwitch Manager, may also be impacted.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” Fortinet said in an advisory released Tuesday.
Fortinet noted that FortiCloud SSO is not enabled by default in factory settings. The feature is typically activated when an administrator registers a device to FortiCare through the device’s graphical user interface, unless the “Allow administrative login using FortiCloud SSO” option has been explicitly enabled.
The disclosure follows the discovery of a “new attack path” being used by unidentified threat actors to gain SSO logins without requiring authentication. Fortinet said the access was abused to create local administrator accounts for persistence, modify configurations to grant VPN access, and exfiltrate firewall configuration data.
The company first observed attacks on 23 January and issued a public advisory on 27 January, after disabling two malicious FortiCloud accounts that were exploiting the SSO feature. The development came shortly after a December 2025 advisory related to two earlier SSO bypass vulnerabilities — CVE-2025-59718 and CVE-2025-59719 — which had already been patched but appeared to be under active exploitation.
“Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue,” Fortinet said in a recently updated 22 January advisory.
“However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.”
Fortinet said it has since identified CVE-2026-24858 as the root cause of the activity and disclosed the vulnerability overnight. The company confirmed that the flaw had been exploited in the wild by two malicious FortiCloud accounts, which were locked out on 2026-01-22.
“This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on 2026-01-22. In order to protect its customers from further exploit, Fortinet disabled FortiCloud SSO on FortiCloud side on 2026-01-26. It was re-enabled on 2026-01-27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions listed below for the FortiCloud SSO authentication to function.”
Fortinet has urged customers using FortiOS, FortiManager and FortiAnalyzer to upgrade to the latest available versions to restore FortiCloud SSO functionality and mitigate the risk of further exploitation.
