Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.1
Users are vulnerable to CVE-2026-24858 even if they updated Fortinet devices to address previously disclosed FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 [CWE-347: Improper Verification of Cryptographic Signature].2 CVE-2025-59718 and CVE-2025-59719 affect FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.3 On Fortinet devices that had been fully upgraded to the latest release addressing CVE-2025-59718 and CVE-2025-59719 at the time of CVE-2026-24858 exploitation, Fortinet observed the following malicious activity:
- Unauthorized firewall configuration changes on FortiGate devices.
- Unauthorized creation of accounts.
- Unauthorized configuration changes of virtual private networks (VPNs) to grant access to new accounts.4
According to Fortinet, on Jan. 26, 2026, Fortinet disabled all FortiCloud SSO authentication to mitigate CVE-2026-24858, then reinstated the service on Jan. 27, 2026, with changes to prevent exploitation of vulnerable devices.
CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog on Jan. 27, 2026.
CISA urges users to check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet’s instructions: