CVE-2026-24858 (CVSS 9.4): FortiOS SSO Zero-Day Exploited in the Wild
Estimated Reading Time: 8 minutes
Key Takeaways:
- Critical Authentication Bypass: CVE-2026-24858 allows attackers to gain full administrative access via the FortiCloud SSO framework.
- Active Exploitation: Identified as a zero-day in January 2026, this flaw was immediately targeted by threat actors using malicious FortiCloud accounts.
- Wide Impact: The vulnerability affects FortiOS, FortiManager, and FortiAnalyzer, representing a significant risk to network perimeters.
- Immediate Action Required: Organizations must apply firmware updates or disable “FortiCloud SSO administrative login” to mitigate the threat.
Table of Contents:
In January 2026, a critical security flaw identified as CVE-2026-24858 (CVSS 9.4) was discovered in the FortiCloud Single Sign-On (SSO) mechanism. This zero-day vulnerability affects FortiOS, FortiManager, and FortiAnalyzer, allowing unauthorized actors to bypass authentication protocols and gain administrative access to devices associated with various accounts. The vulnerability was immediately targeted by threat actors, necessitating an emergency response from Fortinet and a directive from the Cybersecurity and Infrastructure Security Agency (CISA).
The exploitation of CVE-2026-24858 involves an alternate path or channel within the FortiCloud SSO framework. Attackers who possess a legitimate FortiCloud account and at least one registered device can exploit this flaw to circumvent the authentication process for other devices where SSO is enabled. Because this bypass occurs without the need for traditional credentials, it represents a significant risk to the integrity of network security perimeters.
CVE-2026-24858 Analysis
The technical root of CVE-2026-24858 lies in the way FortiCloud SSO manages session validation across different tenant environments. When administrators register hardware to FortiCare via the graphical user interface (GUI), a toggle for “Allow administrative login using FortiCloud SSO” is often active by default or enabled during the setup process. Unless this specific administrative login option is manually disabled, the system remains susceptible to the authentication bypass.
Historical data suggests that authentication bypasses in Fortinet products are a recurring target for advanced persistent threats (APTs). In early 2025, vulnerabilities such as CVE-2025-59718 and CVE-2025-59719 were utilized to bypass SSO through specifically crafted Security Assertion Markup Language (SAML) messages. While those issues were addressed in previous firmware updates, CVE-2026-24858 represents a new attack path that renders those specific patches insufficient if the newer vulnerability is left unaddressed.
The 2025 Verizon Data Breach Investigations Report (DBIR) documented a 34% increase in the exploitation of vulnerabilities, which now accounts for approximately 20% of all recorded breaches. This trend is driven by the speed at which attackers transition from discovery to large-scale exploitation. In the case of CVE-2026-24858, Fortinet identified two specific malicious FortiCloud accounts actively targeting the flaw, resulting in a temporary suspension of the FortiCloud SSO service on January 26 to mitigate further risk.
Timeline of Exploitation and Response
The timeline for CVE-2026-24858 highlights the rapid progression from initial reports to federal mandates:
- January 20, 2026: Multiple Fortinet clients report unauthorized access to FortiGate firewalls. Attackers successfully created local administrator accounts despite the devices running current firmware versions.
- January 22, 2026: Fortinet identifies and blocks two malicious FortiCloud accounts used in the campaign.
- January 26, 2026: Fortinet suspends FortiCloud SSO globally to prevent further unauthorized access.
- January 27, 2026: SSO services are restored exclusively for devices running patched firmware versions.
- January 28, 2026: Public disclosure of CVE-2026-24858 with a CVSS score of 9.4.
- January 30, 2026: Deadline for Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability per CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The Underground Market and Exploit Persistence
The exploitation of zero-days like CVE-2026-24858 is supported by a mature underground economy. Analysis of the exploit market reveals that sophisticated tools are frequently traded on specialized platforms. For instance, an actor known as ‘zeroplayer’ has been observed selling exploits for high-value targets, including Microsoft Office bypasses priced at $300,000 and tools to disable security software for $80,000.
Access to such tools allows lower-skilled actors to conduct high-impact operations, increasing the overall volume of attacks. Utilizing an underground forum intelligence service allows organizations to monitor these transactions and anticipate the arrival of new exploit kits. Similarly, telegram threat monitoring has become an essential component of breach detection, as threat actors increasingly use encrypted messaging apps to coordinate the distribution of malware lures and command-and-control (C2) instructions.
Threat Actor Profiles and Tactics
Several notable groups have been identified in the broader context of vulnerability exploitation during this period:
- APT44 (Sandworm) & Turla: These Russian-linked entities have utilized path traversal and authentication flaws to target infrastructure. Their tactics involve using lures related to drone operations to deploy the STOCKSTAY malware.
- TEMP.Armageddon (CARPATHIAN): This group has leveraged similar vulnerabilities to drop HTA downloader files, facilitating further intrusion into target networks.
- UNC4895 (RomCom): Known for both espionage and financial gain, they have been observed distributing the Snipbot virus and targeting the travel sector via fake booking emails.
- China-linked Groups: These actors have utilized BAT files to install POISONIVY malware, often using third-party links or cloud storage services like Dropbox to bypass standard perimeter filters.
Implementation of Defense Strategies
To mitigate the risks posed by CVE-2026-24858 and similar vulnerabilities, organizations must move beyond reactive patching. The speed of modern exploitation requires a multi-layered approach to security.
A dark web monitoring service provides early warning signs that a specific firmware version or software component is being targeted by exploit developers. This information allows security teams to prioritize patches before an official CVE is even published. Furthermore, supply chain information security monitoring is necessary for organizations that rely on third-party managed service providers (MSPs).
Integrating brand leak alerting ensures that if administrative credentials or session tokens are exposed in the underground market, the organization can invalidate those sessions immediately. This is particularly relevant for FortiCloud accounts, which serve as the gateway for the SSO exploitation path.
Practical Takeaways
For Technical Staff and Engineers:
- Immediate Patching: Verify all FortiGate, FortiManager, and FortiAnalyzer devices are running the versions released after January 27, 2026.
- Configuration Hardening: Ensure that “Allow administrative login using FortiCloud SSO” is disabled on all mission-critical infrastructure.
- Indicator of Compromise (IOC) Hunting: Search system logs for the creation of unexpected local administrative users.
For Business Leaders and Decision Makers:
- Asset Inventory: Confirm that all internet-exposed Fortinet hardware is accounted for to eliminate “shadow IT” risks.
- Incident Response Planning: Update the incident response plan to include procedures for when a primary authentication mechanism (like SSO) is compromised.
- Resource Allocation: Allocate resources for continuous monitoring services to address shorter time-to-exploit cycles.
PurpleOps Technical Expertise
PurpleOps provides the infrastructure and analytical capabilities necessary to navigate the technical requirements of modern cybersecurity. Our cyber threat intelligence services are designed to provide the specific data points required for proactive defense.
By leveraging our dark web monitoring, organizations can gain visibility into where vulnerabilities like CVE-2026-24858 are discussed and traded. To ensure that your perimeter defenses are effective, PurpleOps offers comprehensive and red team operations.
In the context of the current ransomware threat, our protect against ransomware services integrate real-time intelligence to block the delivery of payloads. We provide a technological hub that combines a comprehensive platform with specialized PurpleOps Solutions to address the specific needs of modern enterprises. For more information, PurpleOps Solutions.
Frequently Asked Questions
What is CVE-2026-24858?
It is a critical authentication bypass vulnerability (CVSS 9.4) in the FortiCloud SSO framework that allows attackers to gain administrative access to Fortinet devices.
Which products are affected by this zero-day?
The vulnerability affects FortiOS, FortiManager, and FortiAnalyzer. Evaluations for FortiWeb and FortiSwitch Manager are ongoing.
How can I mitigate the risk if I cannot patch immediately?
You should immediately disable the “Allow administrative login using FortiCloud SSO” option in the FortiCare registration settings and audit all administrative accounts for unauthorized additions.
Why did CISA issue a directive for this vulnerability?
CISA included CVE-2026-24858 in its Known Exploited Vulnerabilities (KEV) catalog because it is being actively exploited in the wild, posing a significant risk to federal and private infrastructure.