Cyber security firm Fortinet has disclosed a Critical Severity vulnerability impacting a raft of its products; however, the real bad news is that malicious actors are already taking full advantage.
The company brought the issue to light in a January 27 Public Advisory following initial attacks observed on January 23, when it disabled two malicious Fortinet accounts abusing the single sign-on feature in FortiOS.
This followed a December 2025 advisory related to two prior SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) that Fortinet had already discovered, but that appeared to be undergoing active exploitation despite being addressed.
“Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue,” Fortinet said in a recently updated January 22 advisory.
“However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.”
Fortinet’s now gotten to the bottom of the issue and identified CVE-2026-24858, which it disclosed overnight.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” Fortinet said in its most recent advisory.
“This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on 2026-01-22. In order to protect its customers from further exploit, Fortinet disabled FortiCloud SSO on FortiCloud side on 2026-01-26. It was re-enabled on 2026-01-27 and no longer supports login from devices running vulnerable versions. Consequently, customers must upgrade to the latest versions listed below for the FortiCloud SSO authentication to function.”
CVE-2026-24858 has a CVSS score of 9.8, and has already been added to CISA’s Known Exploited Vulnerabilities Catalog.
The following products are being investigated by Fortinet:
- FortiAnalyzer 7.6, versions 7.6.0 through 7.6.5
- FortiAnalyzer 7.4, versions 7.4.0 through 7.4.9
- FortiAnalyzer 7.2, versions 7.2.0 through 7.2.11
- FortiAnalyzer 7.0, versions 7.0.0 through 7.0.15
- FortiManager 7.6, versions 7.6.0 through 7.6.5
- FortiManager 7.4, versions 7.4.0 through 7.4.9
- FortiManager 7.2, versions 7.2.0 through 7.2.11
- FortiManager 7.0, versions 7.0.0 through 7.0.15
- FortiOS 7.6, versions 7.6.0 through 7.6.5
- FortiOS 7.4, versions 7.4.0 through 7.4.10
- FortiOS 7.2, versions 7.2.0 through 7.2.12
- FortiOS 7.0, versions 7.0.0 through 7.0.18
- FortiProxy 7.6, versions 7.6.0 through 7.6.4
- FortiProxy 7.4, versions7.4.0 through 7.4.12
- FortiProxy 7.2, all versions - Fortinet reccommends Migrating to a fixed release
- FortiProxy 7.0, all versions- Fortinet reccommends Migrating to a fixed release
Fortinet recommends following the proper upgrade path and has provided a handy tool to help: https://docs.fortinet.com/upgrade-tool
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.