FortiCloud SSO Authentication Bypass – CVE-2026-24858

January 29, 2026 Faeem BLOGS 0

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical authentication bypass vulnerability in Fortinet products, actively exploited in the wild.

Vulnerability Overview

  • CVE ID: CVE-2026-24858
  • Severity: CVSS 9.1 (Critical)
  • Type: Authentication bypass via alternate path/channel (CWE-288).
  • Affected products: FortiAnalyzer, FortiManager, FortiOS, FortiProxy.
  • Root cause: Improper handling of FortiCloud SSO tokens.
  • Impact: Attackers with a FortiCloud account can hijack sessions on devices registered to other accounts.

Exploitation Details

  • Attackers scan for exposed FortiCloud SSO endpoints.
  • Register low-privilege devices → pivot to high-value targets (e.g., FortiGate firewalls).
  • Exploit SSO token validation gaps:
    • Authenticate to their own device.
    • Capture session token.
    • Replay token against victim devices in the same tenant.
  • Result: Admin access → configuration dumps, VPN pivots, malware staging.
  • No direct code execution, but privilege escalation enables ransomware deployment.
  • Threat groups: Tactics align with LockBit and ALPHV/BlackCat operations.

Exposure

  • CISA action: Added CVE-2026-24858 to Known Exploited Vulnerabilities (KEV) catalog (Jan 29, 2026).
  • Patch deadline: Federal agencies must comply under BOD 22-01 timelines.
  • Private sector risk: Shadowserver scans show 500,000+ Fortinet devices worldwide using FortiCloud SSO.

Mitigation & Patch Guidance

ProductVulnerable VersionsFixed Versions
FortiAnalyzer7.4.0 – 7.4.37.4.4+
FortiManager7.6.0 – 7.6.27.6.3+
FortiOS7.4.0 – 7.4.57.4.6+
FortiProxy7.4.0 – 7.4.47.4.5+

Additional mitigations:

  • Disable FortiCloud SSO if not required.
  • Enforce MFA on FortiCloud accounts.
  • Monitor for anomalous logins in FortiAnalyzer.
  • Follow CISA BOD 22-01 for cloud services.
  • Decommission or isolate vulnerable setups until patched.

Takeaway

CVE-2026-24858 highlights the risks of SSO misconfigurations in hybrid cloud environments. While exploitation doesn’t directly execute code, it enables admin-level compromise—a perfect launchpad for ransomware and lateral movement. Organizations should patch immediately, disable unnecessary SSO, and enforce MFA to reduce exposure.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.