Critical Vulnerability Discovered in Fortinet Products: What You Need to Know
Cybersecurity firm Fortinet has recently raised alarms after disclosing a Critical Severity vulnerability that affects a range of its widely-used products. The situation has escalated as malicious actors are already exploiting this vulnerability, posing significant risks to users and organizations.
The Problem Unveiled
On January 27, Fortinet published a Public Advisory, revealing the vulnerability first noticed on January 23. Initial reports indicated that two malicious accounts were exploiting the Single Sign-On (SSO) feature in FortiOS, leading to unauthorized access across various accounts. This incident was not isolated; rather, it was preceded by a December 2025 advisory regarding two other SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) that had already been reported and addressed. Despite Fortinet’s urgent efforts to mitigate these vulnerabilities, active exploitation still seemed to continue.
Fortinet sparked further concern when a small number of customers reported unexpected login activity that mirrored the previous SSO vulnerabilities. What made this particular issue alarming was Fortinet’s discovery that even fully upgraded systems were affected, suggesting a new and critical attack vector.
The Vulnerability Identified
Following thorough investigations, Fortinet pinpointed the cause underlying these issues: CVE-2026-24858. This vulnerability involves an Authentication Bypass Using an Alternate Path or Channel (CWE-288) and affects FortiOS, FortiManager, and FortiAnalyzer. Attackers with a FortiCloud account could log into devices registered under different accounts if the FortiCloud SSO authentication was enabled.
Fortinet confirmed that this vulnerability had been actively exploited by two malicious FortiCloud accounts, which were deactivated on January 22, 2026. In a bid to protect customers from further exploitation, Fortinet temporarily disabled FortiCloud SSO on their side and re-enabled it on January 27, but with specific restrictions that necessitate upgrading to the latest software versions.
Implications of the Vulnerability
With a Critical Vulnerability Scoring System (CVSS) score of 9.8, CVE-2026-24858 highlights the severe risk it poses to users. The vulnerability has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, signaling to organizations that immediate action is required.
Affected Products
Fortinet has identified a range of products that are affected by CVE-2026-24858. The affected versions include:
-
FortiAnalyzer:
- 7.6: Versions 7.6.0 through 7.6.5
- 7.4: Versions 7.4.0 through 7.4.9
- 7.2: Versions 7.2.0 through 7.2.11
- 7.0: Versions 7.0.0 through 7.0.15
-
FortiManager:
- 7.6: Versions 7.6.0 through 7.6.5
- 7.4: Versions 7.4.0 through 7.4.9
- 7.2: Versions 7.2.0 through 7.2.11
- 7.0: Versions 7.0.0 through 7.0.15
-
FortiOS:
- 7.6: Versions 7.6.0 through 7.6.5
- 7.4: Versions 7.4.0 through 7.4.10
- 7.2: Versions 7.2.0 through 7.2.12
- 7.0: Versions 7.0.0 through 7.0.18
-
FortiProxy:
- 7.6: Versions 7.6.0 through 7.6.4
- 7.4: Versions 7.4.0 through 7.4.12
- 7.2 & 7.0: All Versions—Fortinet recommends migrating to fixed releases.
Action Steps for Customers
To mitigate the vulnerabilities, Fortinet urges customers to follow the proper upgrade paths for their systems. The company has provided a dedicated upgrade tool to assist users in ensuring their systems are updated to the latest versions that secure against potential exploits.
For organizations using Fortinet products, it’s critical to act swiftly in addressing this vulnerability. Monitoring login activity, upgrading systems, and understanding the implications of the CVE-2026-24858 vulnerability should be prioritized to protect sensitive data from potential breach.