Executive Summary
In January 2026, Fortinet suffered a critical security incident when attackers exploited CVE-2026-24858, an authentication bypass vulnerability impacting FortiCloud SSO on key products like FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. Malicious actors with valid FortiCloud accounts could access devices registered to other users, enabling unauthorized firewall changes, new privileged account creation, and illicit VPN reconfiguration, even on systems patched for earlier SSO flaws. Fortinet responded by temporarily disabling and then remediating FortiCloud SSO, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
This incident underscores the risks of centralized identity platforms and SSO misconfigurations, as well as the persistent attacker interest in cloud-managed network appliances. Growing exploitation of authentication bypass vulnerabilities has regulatory and operational implications for organizations reliant on integrated cloud services.
Why This Matters Now
This breach demonstrates how quickly attackers can weaponize authentication bypass vulnerabilities in widely used infrastructure, jeopardizing both perimeter and internal defenses. Organizations must rapidly address exposed SSO attack surfaces, as threat actors continue to target cloud-based identity systems, and compliance mandates increasingly demand continuous monitoring and timely remediation.
Attack Path Analysis
The attack began with the adversary exploiting the CVE-2026-24858 authentication bypass vulnerability in Fortinet devices, using manipulated FortiCloud SSO accounts to gain initial access to devices belonging to other organizations. The attacker then escalated privileges by creating unauthorized admin accounts and altering VPN configurations. Leveraging these unauthorized credentials, the attacker could have laterally accessed additional devices or sensitive internal systems. Command and control was potentially established through configuration changes enabling persistent remote access and possible outbound communications. Data exfiltration risk was present via modified VPNs and firewall policies, possibly enabling loading or removal of sensitive configuration or credentials. Ultimately, the attacker’s actions, such as unauthorized admin creation and firewall changes, resulted in significant impact, compromising device integrity and administrative control.
Kill Chain Progression
Initial Compromise
Description
Adversary exploited authentication bypass in FortiCloud SSO (CVE-2026-24858) to gain unauthorized access to Fortinet devices registered to other organizations.
Related CVEs
CVE-2026-24858
CVSS 9.8An authentication bypass vulnerability in multiple Fortinet products allows attackers with a FortiCloud account and a registered device to log into other devices registered to different accounts if FortiCloud SSO authentication is enabled.
Affected Products:
Fortinet FortiAnalyzer – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiManager – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiOS – 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 7.0.0 through 7.0.18
Fortinet FortiProxy – 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2.0 through 7.2.15, 7.0.0 through 7.0.22
Fortinet FortiWeb – 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, 7.4.0 through 7.4.11
Exploit Status:
exploited in the wildCVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in multiple Fortinet products allows attackers to bypass SSO login authentication via a crafted SAML message.
Affected Products:
Fortinet FortiOS – 7.0.0 through 7.0.18, 7.2.0 through 7.2.12, 7.4.0 through 7.4.10, 7.6.0 through 7.6.5
Fortinet FortiWeb – 7.0.0 through 7.0.15, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.5
Fortinet FortiProxy – 7.0.0 through 7.0.22, 7.2.0 through 7.2.15, 7.4.0 through 7.4.12, 7.6.0 through 7.6.4
Fortinet FortiSwitch Manager – 7.0.0 through 7.0.15, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.5
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An authentication bypass vulnerability in multiple Fortinet products allows attackers to bypass SSO login authentication via a crafted SAML message.
Affected Products:
Fortinet FortiOS – 7.0.0 through 7.0.18, 7.2.0 through 7.2.12, 7.4.0 through 7.4.10, 7.6.0 through 7.6.5
Fortinet FortiWeb – 7.0.0 through 7.0.15, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.5
Fortinet FortiProxy – 7.0.0 through 7.0.22, 7.2.0 through 7.2.15, 7.4.0 through 7.4.12, 7.6.0 through 7.6.4
Fortinet FortiSwitch Manager – 7.0.0 through 7.0.15, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.5
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques selected to enable SEO/filtering; mapping can be expanded with deeper STIX/TAXII enrichment in later stages.
Valid Accounts: Cloud Accounts
Exploit Public-Facing Application
Modify Authentication Process: SAML Tokens
Account Manipulation
Valid Accounts: Domain Accounts
Brute Force: Password Spraying
Impair Defenses: Disable or Modify Tools
Create Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication and Access Control
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program, Access Privileges, Risk Assessment
Control ID: 500.03, 500.07, 500.09
DORA – ICT Risk Management and Security Controls
Control ID: Art. 8(2); Art. 10(1)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Strong Authentication and Authorization
Control ID: Identity Pillar - Access Management
NIS2 Directive – Access Control and Asset Management
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical infrastructure at risk from Fortinet authentication bypass enabling unauthorized firewall changes, VPN access creation, and potential lateral movement through government networks.
Financial Services
Banking systems vulnerable to authentication bypass attacks allowing unauthorized configuration changes, compromising encrypted traffic protection and regulatory compliance requirements like PCI standards.
Health Care / Life Sciences
Healthcare networks face authentication bypass risks enabling unauthorized access to patient data systems, violating HIPAA compliance through compromised firewall and VPN configurations.
Information Technology/IT
IT service providers using Fortinet infrastructure vulnerable to authentication bypass enabling unauthorized network segmentation changes and compromised multicloud visibility and control capabilities.
Sources
- Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026Verified
- Administrative FortiCloud SSO Authentication Bypasshttps://fortiguard.fortinet.com/psirt/FG-IR-26-060Verified
- Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypasshttps://fortiguard.fortinet.com/psirt/FG-IR-25-647Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident highlights the importance of Zero Trust and CNSF principles in preventing and detecting cloud-based attacks exploiting authentication and configuration weaknesses. Robust segmentation, strict identity controls, and egress governance could have limited attacker movement, prevented privilege abuse, and detected abnormal remote access or exfiltration.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detection and blocking of unauthorized device access attempts.
Control: Zero Trust Segmentation
Mitigation: Restricted scope of configuration changes to authorized identities; policy enforcement on admin actions.
Control: East-West Traffic Security
Mitigation: Detection and segmentation policy block on unauthorized east-west movement.
Control: Multicloud Visibility & Control
Mitigation: Continuous monitoring and alerting on persistent remote access behaviors.
Control: Egress Security & Policy Enforcement
Mitigation: Enforced egress policies and monitored for suspicious outbound data flows.
Impact may have been reduced if CNSF controls had limited escalation and abuse.
Impact at a Glance
Affected Business Functions
- Firewall Management
- VPN Access Control
- User Account Management
Estimated downtime: 2 days
Estimated loss: $50,000
Potential unauthorized access to sensitive configuration data and user credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately disable unnecessary cloud SSO and administrative interfaces on internet-exposed devices.
- • Enforce Zero Trust segmentation and least privilege policies to isolate sensitive administrative functions and restrict cross-device movement.
- • Implement inline CNSF enforcement to provide behavioral inspection and policy controls beyond standard authentication.
- • Apply granular egress filtering to monitor and restrict outbound connections, especially those initiated after configuration changes.
- • Continuously monitor for anomalous admin actions and privilege escalations with automated detection and rapid incident response playbooks.
