External risk intelligence

Fortinet devices can be improperly accessed by attackers if FortiCloud SSO is enabled

CVE advisoryKnown Exploit

CVE-2026-24858

Fortinet devices with FortiCloud SSO enabled allow attackers to bypass security and access other accounts' devices. This is critical because it grants unauthorized access to network management and security functions.

5Halo Surface Signal

Authentication Bypass

Fortinet Fortianalyzer

7.0.0 to 7.0.157.2.0 to 7.2.117.4.0 to before 7.4.107.6.0 to before 7.6.67.0.0 to 7.0.227.2.0 to 7.2.157.4.0 to 7.4.127.6.0 to 7.6.47.4.0 to 7.4.117.6.0 to 7.6.68.0.0 to 8.0.3;...

External exposure likelihood

Halo Surface Signal score for CVE-2026-24858

These Fortinet products serve as network security appliances, firewalls, and application proxies, which are standard components deployed at the internet edge. Since these devices frequently process external traffic and are often reachable to facilitate administrative or remote service connectivity, the attack surface is natively aligned with public-facing internet exposure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an attacker with a FortiCloud account to access other Fortinet devices that are not theirs. This is concerning because it bypasses normal security controls, potentially exposing sensitive network management and security functions.

  • Unauthorized access to other accounts' devices.
  • Impacts network security and management.
  • Can be exploited over the network.

Attack Path

How an attacker could exploit the issue

An attacker with a FortiCloud account could exploit this by registering a device and then using that account to bypass authentication and access other Fortinet devices that have FortiCloud Single Sign-On enabled. This allows them to impersonate users or gain unauthorized administrative access to targeted systems.

  • Requires a FortiCloud account.
  • Targets devices with FortiCloud SSO enabled.
  • Exploits authentication bypass mechanism.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to weaponize this CVE because it allows unauthorized access to network security devices. The ability for an attacker with a legitimate account to access other accounts' devices is a powerful lure. The vulnerability's presence on widely deployed Fortinet products increases its attractiveness.

  • Public exploit available.
  • Listed on CISA's KEV catalog.
  • Affects critical network infrastructure.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate isolation or shutdown of affected Fortinet services if they are critical or actively exploited, given the high severity and potential for unauthorized access. If services cannot be immediately taken offline, focus on identifying and blocking any indicators of compromise and review logs for signs of authentication bypass attempts.

  • Isolate or power down vulnerable systems.
  • Block related malicious traffic.
  • Monitor logs for unauthorized access.

Frequently asked questions

What is Fortinet FortiAnalyzer and its function?

Fortinet FortiAnalyzer is a security management platform designed for analyzing logs, generating reports, and managing security events. It aids organizations in monitoring and understanding their network security by collecting and analyzing data from various Fortinet devices.

What type of vulnerability is CVE-2026-24858?

CVE-2026-24858 is an Authentication Bypass vulnerability, specifically categorized as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). This weakness means an attacker can circumvent security measures by using an unintended method to gain access.

How can CVE-2026-24858 be exploited?

Exploitation requires an attacker to possess a FortiCloud account and a registered device. If FortiCloud Single Sign-On (SSO) authentication is enabled on other devices, the attacker can log into those devices, even if they are registered to different accounts.

What is the impact of CVE-2026-24858 on network security?

This vulnerability allows an attacker with a FortiCloud account to improperly access other Fortinet devices not registered to them. This bypasses standard security controls, potentially exposing sensitive network management functions and leading to unauthorized administrative access.

What actions should be taken to address CVE-2026-24858?

Organizations should prioritize isolating or shutting down affected Fortinet services if they are critical. If immediate shutdown is not feasible, focus on blocking any identified indicators of compromise and meticulously reviewing logs for evidence of authentication bypass attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified