Summary
On 27 January 2026, Fortinet released an advisory detailing a critical authentication bypass vulnerability affecting FortiOS, FortiAnalyzer, FortiManager, and FortiProxy products. Designated CVE-2026-24858, the vulnerability allows an unauthenticated threat actor with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Arctic Wolf had previously published a security bulletin on January 21, 2026 detailing threat activity potentially related to this vulnerability. At the time the security bulletin was published, there was no assigned CVE, but a notable overlap was seen in relation to the previously disclosed FortiCloud SSO authentication bypass activity identified in early December 2025. In the new campaign, threat actors were able to authenticate against Fortinet devices that had FortiCloud SSO enabled, create local administrative accounts for persistence, and exfiltrate configuration data.
Fortinet states that FortiCloud SSO login is disabled by default in factory settings. However, when administrators register devices on FortiCare through the device’s GUI, FortiCloud SSO is enabled unless specifically disabled through the “Allow administrative login using FortiCloud SSO” toggle on the registration page.
Recommendations for CVE-2026-24858
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of affected Fortinet products. See the Fortinet advisory on this vulnerability for more details.
| Product | Affected Version | Fixed Version |
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to upcoming 7.4.10 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.12 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
| FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to upcoming 7.4.10 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.13 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
| FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to upcoming 7.4.11 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to upcoming 7.2.13 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to upcoming 7.0.19 or above |
| FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to upcoming 7.6.6 or above |
| FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to upcoming 7.4.13 or above |
| FortiProxy 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
Note: FortiAnalyzer 6.4, FortiManager 6.4, and FortiOS 6.4, are unaffected by the vulnerability.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Limit Access to Management Interfaces of Network Appliances to Trusted Internal Users
Threat actors commonly target management interfaces of firewalls and VPNs for mass exploitation, often relying on specialised search engines that facilitate identification of specific hardware configurations.
In the last few years, Arctic Wolf observed multiple campaigns targeting management interfaces on firewalls and VPN gateways. Consider restricting all firewall management interface access to trusted internal networks as a security best security practice across all firewall configurations, regardless of network appliance vendor.
Configure Log Monitoring for all Firewall Devices
Arctic Wolf has detections in place to identify malicious activity associated with this campaign. If you are a Managed Detection and Response customer, ensure that syslog monitoring is configured for all of your organisation’s firewall devices using our provided documentation. This increases the likelihood of catching malicious activity early.
Restore Clean Configuration and Firmware if Exploitation is Suspected
If any systems are identified as compromised, consider formatting the boot drive, performing a TFTP boot to load verified firmware, and then restoring a clean configuration file. Prior to restoration, thoroughly review the configuration for any unauthorised modifications.
For more details on how to perform a configuration backup and install firmware via TFTP on FortiOS, see the following Fortinet documentation pages:
- https://docs.fortinet.com/document/fortigate/7.6.5/administration-guide/556915/installing-firmware-from-system-reboot?
- https://docs.fortinet.com/document/fortigate/7.6.5/administration-guide/702257/configuration-backups-and-reset
Workarounds
Disable FortiCloud SSO
Previously Fortinet recommended disabling FortiCloud SSO as a temporary workaround until upgrading to a fixed version. In their recent advisory, Fortinet states that FortiCloud SSO authentication no longer supports login from devices running vulnerable versions. Therefore disabling FortiCloud SSO login on client side is not necessary at the moment.
For reference, disabling FortiCloud SSO can still be done via the following steps:
On FortiOS and FortiProxy
Go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off. Or type the following command in CLI command line:
config system global set admin-forticloud-sso-login disable end
On FortiManager and FortiAnalyzer
Go to System Settings -> SAML SSO -> Switch “Allow admins to login with FortiCloud” to Off. Or type the following command in CLI command line:
config system saml set forticloud-sso disable end
