Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858

A new vulnerability, CVE-2026-24858, allows attackers with FortiCloud accounts to access other users' registered devices in Fortinet products. This authentication bypass issue affects devices using FortiCloud single sign-on (SSO). Even if users patched previous FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719), they remain vulnerable. Exploitation of CVE-2026-24858 has resulted in unauthorized configuration changes and account creation on compromised devices. Observed malicious activities include firewall changes and the creation of VPNs granting access. Fortinet temporarily disabled FortiCloud SSO to address the vulnerability and then re-enabled it with mitigations. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog. CISA advises users to search for signs of compromise and apply updates following Fortinet's instructions. The vulnerability underscores the importance of prompt patching and security best practices. CISA provides this information for informational purposes only, without endorsing any specific products or services.