Summary

A critical vulnerability, identified as CVE-2026-24858, has been discovered in Fortinet products, including FortiOS, FortiManager, and FortiAnalyzer. This vulnerability allows an attacker with a FortiCloud account and a registered device to gain unauthorized access to other devices registered to different accounts if FortiCloud SSO authentication is enabled. The vulnerability has a CVSS base score of 9.4, indicating a critical risk level, and has been actively exploited in the wild.

Affected Systems and/or Applications

The following Fortinet products and versions are affected by this vulnerability:

• FortiAnalyzer versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15
• FortiManager versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15
• FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18
• FortiProxy versions 7.6 through 7.6.4
• FortiProxy versions 7.4 through 7.4.12
• FortiProxy 7.2 all versions
• FortiProxy 7.0 all versions

The vulnerability affects devices with FortiCloud SSO authentication enabled, which is not enabled by default but can be activated during device registration.

Technical Details

CVE-2026-24858 is an authentication bypass vulnerability classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. The flaw exists in the mechanism used to authenticate FortiCloud-registered devices, allowing an attacker to leverage a valid FortiCloud account and an associated registered device to impersonate or gain access to other Fortinet devices registered to different FortiCloud accounts.

The vulnerability is network-accessible and can be exploited remotely with low attack complexity. Exploitation does not require prior authentication, elevated privileges, or user interaction, making it a pre-authentication attack. Successful exploitation results in a complete compromise of the target device’s security boundary, leading to high impact on confidentiality, integrity, and availability (CIA). The inclusion of this vulnerability in the CISA Known Exploited Vulnerabilities (KEV) catalog indicates confirmed exploitation in real-world environments.

A plausible attack scenario involves an attacker who possesses a legitimate FortiCloud account and has at least one registered device. By abusing the flawed authentication path, the attacker can bypass account isolation controls and authenticate to other Fortinet devices owned by different customers. Once unauthorized access is obtained, the attacker may perform post-exploitation activities such as lateral movement, extraction of sensitive configuration or operational data, modification of device settings, or intentional service disruption.

The highest-risk scenario arises when the vulnerability is exploited against security-critical or infrastructure-facing devices, potentially enabling large-scale data breaches, loss of network visibility, or prolonged operational outages. Given the pre-authentication nature of the flaw and the availability of exploitation in the wild, organizations operating affected devices should consider this vulnerability critical and address it with priority.

Mitigation

Immediate actions:

Immediate actions is required to mitigate this vulnerability. Organizations should:

1. Upgrade affected Fortinet products to the latest secure versions:
   
   • FortiAnalyzer to version 7.6.6 or above
   • FortiManager to version 8.0.0 or above
   • FortiOS to version 8.0.0 or above
   • FortiProxy versions 7.6 through 7.6.4 Upgrade to upcoming 7.6.6 or above
   • FortiProxy versions 7.4 through 7.4.12 Upgrade to upcoming 7.4.13 or above
2. As an interim measure, consider disabling FortiCloud SSO authentication if feasible.
3. Implement network segmentation to limit access to critical devices and monitor for unusual login activities.
4. Enhance monitoring to detect and prevent unauthorized access.

Temporary Workaround:

Restrict administrative access best practice
It is best practice to not allow unrestricted administration of any edge network device via the internet, with best practice being out of band access. If this is not possible, it is highly recommended to apply a local-in policy to restrict the IP addresses that are able to access the administrative interface.

The example below would prevent any access from known malicious IPs or Botnet IPs (rule 1) and only allow HTTPS administration from the 10.10.10.0/24 subnet (rule 2).  Adjust according to your local setup.

config firewall address
    edit "10.10.10.0"
        set subnet 10.10.10.0 255.255.255.0
    next
end
config firewall local-in-policy
    edit 1
        set intf "port1"
        set srcaddr "10.10.10.0"
        set dstaddr "all"
        set service "HTTPS"
        set schedule "always"
    next
end

Follow up on Fortinet Recommendations pointed out in the References.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and analyzing the case to identify potential threat-hunting campaigns. This advisory will be updated if required. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Tenable IDs:

• 296981
• 296980
• 296979

References

• Fortinet Advisory: FG-IR-26-060
• Fortinet Recommendations: Fortinet Recommendations
• KS Advisory published on 2025-12-18: Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities Actively Exploited (CVE-2025-59718, CVE-2025-59719)
• Tenable Plugings
• CISA Known Exploited Vulnerabilities Catalog