6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Administrative Authentication Bypass via FortiCloud SSO in Fortinet Products
CVSS Score: 9.8 (Critical, CVSS v3.1)
Identifier: CVE-2026-24858
Exploit or POC: CVE-2026-24858 is confirmed to be actively exploited in the wild and is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Update: Fortinet has released emergency fixes and enforced server-side protections. Devices must be upgraded to fixed firmware in order to continue using FortiCloud SSO safely.
Representative fixed versions (vary by product and branch):
FortiOS: 7.6.6 (7.6), 7.4.11 (7.4), 7.2.13 (7.2), 7.0.19 (7.0)
FortiManager: 7.6.6 (7.6), 7.4.10 (7.4), 7.2.13 (7.2), 7.0.16 (7.0)
FortiAnalyzer: 7.6.6 (7.6), 7.4.10 (7.4), 7.2.12 (7.2), 7.0.16 (7.0)
FortiProxy: 7.6.6 (7.6), 7.4.13 (7.4), 7.2.16 (7.2), 7.0.23 (7.0)
FortiWeb: 8.0.4 (8.0), 7.6.7 (7.6), 7.4.12 (7.4)
Administrators should consult Fortinet PSIRT advisories for exact fixed versions per product line and apply updates immediately. Devices running vulnerable versions may have FortiCloud SSO login automatically blocked by Fortinet until patched.
Description:
CVE-2026-24858 is an authentication bypass vulnerability in Fortinet’s FortiCloud Single Sign-On integration. When the option “Allow administrative login using FortiCloud SSO” is enabled, improper validation of SSO trust allows an attacker with a FortiCloud account and registered device to authenticate to other organizations’ Fortinet devices that also have FortiCloud SSO enabled.
This allows attackers to obtain full administrative access to security appliances without knowing local credentials, effectively bypassing perimeter authentication controls.
Mitigation Recommendation:
Immediately upgrade all affected Fortinet products to the fixed firmware versions released by Fortinet.
Disable FortiCloud SSO administrative login if it is not strictly required.
Restrict management interface access to trusted administrative networks only (VPN, ZTNA, IP allowlists).
Review administrator audit logs for FortiCloud SSO login events, especially from unfamiliar accounts or IP addresses.
Note: Given the critical severity and confirmed exploitation of this vulnerability, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.
