Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-24858

Published 2026-01-28
Updated 3 months ago
Vendor/s
Fortinet
Product/s
Multiple Products
Version/s
7.0.0 > 7.0.15
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
9.8
/ 10
Critical
Severity Details
Base score
9.8 Critical
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2026-24858 is a critical (CVSS 9.8) Fortinet authentication bypass vulnerability in FortiOS, FortiManager, and more, currently under active exploitation.

CPE

Fortinet logo
Fortinet
Product Version Start Version End (excl.) Status
fortianalyzer 7.0.0 7.0.15 vulnerable
fortianalyzer 7.2.0 7.2.11 vulnerable
fortianalyzer 7.4.0 7.4.10 vulnerable
fortianalyzer 7.6.0 7.6.6 vulnerable
fortimanager 7.0.0 7.0.15 vulnerable
fortimanager 7.2.0 7.2.11 vulnerable
fortimanager 7.4.0 7.4.10 vulnerable
fortimanager 7.6.0 7.6.6 vulnerable
fortiproxy 7.0.0 7.0.22 vulnerable
fortiproxy 7.2.0 7.2.15 vulnerable
fortiproxy 7.4.0 7.4.12 vulnerable
fortiproxy 7.6.0 7.6.4 vulnerable
fortiweb 7.4.0 7.4.11 vulnerable
fortiweb 7.6.0 7.6.6 vulnerable
fortiweb 8.0.0 8.0.3 vulnerable
fortios 7.0.0 7.0.18 vulnerable
fortios 7.2.0 7.2.12 vulnerable
fortios 7.4.0 7.4.11 vulnerable
fortios 7.6.0 7.6.6 vulnerable

Related weakness (CWE)

CWE-288

Remediation plan

1

Apply official patches

Immediately apply the security updates provided by Fortinet. Consult the FortiGuard PSIRT advisory FG-IR-26-060 to identify the specific firmware release required for your hardware model and deployment configuration.

2

Update affected systems

Upgrade to the following versions or higher: FortiOS 7.4.11/7.6.6; FortiManager and FortiAnalyzer 7.4.10/7.6.6; FortiProxy 7.0.23, 7.2.16, 7.4.13, or 7.6.5; and FortiWeb 7.4.12, 7.6.7, or 8.0.4.

3

Restrict access

If patching cannot be performed immediately, disable FortiCloud SSO authentication on all affected devices. Additionally, ensure management interfaces are not exposed to the public internet and are restricted to trusted administrative subnets.

4

Monitor for exploitation

Review system logs for 'FortiCloud SSO' login events. Investigate any successful authentications from unrecognized account IDs or unexpected geographic locations, and audit administrative accounts for unauthorized additions or configuration changes.

Detection Guidance

Security teams should monitor device logs for successful authentication events involving FortiCloud SSO where the user is not a recognized administrator. Specifically, look for log entries indicating logins from external FortiCloud IDs that do not belong to your organization. Network-level detection should focus on unusual traffic to management ports (HTTPS/443, 541) from unknown IP addresses. Implementing the specific IOCs and log patterns detailed in Fortinet's FG-IR-26-060 advisory into your SIEM is highly recommended.

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-060 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858 US Government Resource https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios Mitigation Vendor Advisory

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial