Executive Summary
In January 2026, Fortinet disclosed a critical zero-day vulnerability (CVE-2026-24858) affecting FortiCloud’s single sign-on authentication, enabling attackers with a FortiCloud account and a registered device to bypass authentication controls and gain privileged access to FortiGate firewalls and other products. Malicious actors leveraged the flaw in the wild, making unauthorized configuration changes, creating unauthorized accounts, and manipulating VPN settings across exposed management interfaces. Fortinet responded by disabling FortiCloud SSO, blocking the known malicious accounts, and issuing mitigations, though patches for multiple affected products remained unavailable at disclosure.
This incident highlights the persistent targeting of network infrastructure devices by threat actors seeking initial access and lateral movement. With thousands of Fortinet instances exposed globally and repeated inclusion of Fortinet CVEs in known exploited vulnerabilities catalogs, organizations face increased regulatory scrutiny and pressure to rapidly address vulnerabilities affecting critical network management infrastructure.
Why This Matters Now
The Fortinet SSO authentication bypass exposes a significant attack surface across thousands of globally deployed network devices, with exploitation ongoing and immediate remediation required. Rapid attacker adaptation and repeated flaws in high-value management interfaces emphasize the urgent need for organizations to apply mitigations, monitor exposures, and strengthen network access controls to limit future risk.
Attack Path Analysis
Attackers exploited a zero-day authentication bypass in FortiCloud SSO to gain privileged access to exposed Fortinet management interfaces. With unauthorized access, they escalated privileges by creating new admin accounts and altering VPN configurations. The attackers then leveraged this access to pivot across connected devices and manipulate further settings. Command and control was established by reconfiguring firewall and access settings, enabling persistent remote management. Data exfiltration was possible through modified VPN and egress configurations but not explicitly observed. The impact included unauthorized control of firewall infrastructure, potentially facilitating broader compromise or data loss.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited CVE-2026-24858 to bypass FortiCloud SSO authentication on publicly exposed management interfaces and accessed target devices.
Related CVEs
CVE-2026-24858
CVSS 9.8An authentication bypass vulnerability in Fortinet products allows attackers with a FortiCloud account and a registered device to log into other devices registered to different accounts if FortiCloud SSO authentication is enabled.
Affected Products:
Fortinet FortiAnalyzer – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiManager – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
Fortinet FortiOS – 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 7.0.0 through 7.0.18
Fortinet FortiProxy – 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2.0 through 7.2.15, 7.0.0 through 7.0.22
Fortinet FortiWeb – 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, 7.4.0 through 7.4.11
Exploit Status:
exploited in the wildCVE-2025-59718
CVSS 9.8An improper verification of cryptographic signature vulnerability in Fortinet products allows unauthenticated attackers to bypass FortiCloud SSO login authentication via a crafted SAML response message.
Affected Products:
Fortinet FortiOS – 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17
Fortinet FortiProxy – 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, 7.0.0 through 7.0.21
Fortinet FortiSwitchManager – 7.2.0 through 7.2.6, 7.0.0 through 7.0.5
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Initial TTP mappings for filtering and SEO; can be expanded with full STIX/TAXII data in future iterations.
Exploit Public-Facing Application
Valid Accounts: Cloud Accounts
Valid Accounts
Create Account
Abuse Elevation Control Mechanism
Impair Defenses
Account Discovery
Remote Services: Remote Desktop Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for Access to CDE
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
CISA Zero Trust Maturity Model 2.0 – Continuous Authentication and Authorization
Control ID: Identity Pillar: Authentication
NIS2 Directive – Incident Handling and Security in Network and Information Systems
Control ID: Article 21(2)(d)
DORA (Regulation (EU) 2022/2554) – ICT Risk Management
Control ID: Article 10
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Fortinet's CVE-2026-24858 zero-day directly impacts security vendors relying on FortiCloud SSO, creating authentication bypass vulnerabilities in critical network infrastructure and firewall management systems.
Financial Services
Banking institutions face severe network infrastructure compromise risks from authentication bypass vulnerabilities, threatening HIPAA/PCI compliance requirements and enabling lateral movement through segmented financial networks.
Health Care / Life Sciences
Healthcare organizations using Fortinet firewalls risk HIPAA compliance violations through unauthorized VPN reconfigurations and account creation, exposing patient data to exfiltration via compromised network controls.
Government Administration
Government agencies face critical infrastructure threats from actively exploited zero-day enabling firewall reconfiguration, unauthorized access creation, and potential command-and-control establishment through compromised network boundaries.
Sources
- Fortinet’s latest zero-day vulnerability carries frustrating familiarities for customershttps://cyberscoop.com/ortinet-zero-day-cve-2026-24858-forticloud-sso-auth-bypass/Verified
- NVD - CVE-2026-24858https://nvd.nist.gov/vuln/detail/CVE-2026-24858Verified
- Fortinet starts patching exploited FortiCloud SSO zero-day (CVE-2026-24858)https://www.helpnetsecurity.com/2026/01/28/fortinet-forticloud-sso-zero-day-vulnerability-cve-2026-24858/Verified
- Fortinet Warns of Actively Exploited FortiCloud SSO Flaw (CVE-2026-24858)https://cyberpress.org/fortinet-actively-exploited-forticloud-sso-vulnerability-cve-2026-24858/Verified
- NVD - CVE-2025-59718https://nvd.nist.gov/vuln/detail/CVE-2025-59718Verified
- Attackers are exploiting auth bypass vulnerability on FortiGate firewalls (CVE-2025-59718)https://www.helpnetsecurity.com/2025/12/17/fortigate-vulnerability-cve-2025-59718-exploited/Verified
- CISA Known Exploited Vulnerabilities Catalog - CVE-2025-59718https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident demonstrates clear CNSF and Zero Trust relevance, as it exploited weaknesses in authentication, network segmentation, and egress controls. Applying identity-based segmentation, granular policy enforcement, and strict workload isolation could have constrained unauthorized lateral movement, command persistence, and potential data exfiltration.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Prevented or detected unauthorized access to management planes if Zero Trust identity and contextual access controls were enforced.
Control: Zero Trust Segmentation
Mitigation: Identity and role-based segmentation could have limited escalation paths to privileged resources.
Control: East-West Traffic Security
Mitigation: Workload isolation and granular traffic controls would restrict unauthorized access between cloud devices and segments.
Control: Multicloud Visibility & Control
Mitigation: Centralized visibility and policy controls would detect and disrupt unexpected configuration changes or outbound management access.
Control: Egress Security & Policy Enforcement
Mitigation: Egress controls could detect or block unsanctioned data flows through anomalous VPN or firewall changes.
Effective Zero Trust and CNSF controls may have limited attacker impact by constraining lateral spread, privilege escalation, and egress.
Impact at a Glance
Affected Business Functions
- Network Security Management
- Firewall Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of network configurations, security rules, VPN settings, and authentication mechanisms.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize removal of public internet exposure for all management interfaces using network-level cloud firewall controls.
- • Deploy Zero Trust Segmentation and least privilege policies to restrict internal and administrative traffic pathways.
- • Enforce egress security and monitoring to detect and block unauthorized outbound channels and potential data exfiltration.
- • Enable centralized visibility and anomaly detection to surface suspicious configuration changes or admin account activity.
- • Regularly review and update privileged account policies, ensuring strong authentication and real-time monitoring for any modifications.
