Fortinet FortiCloud SSO Authentication Bypass Actively Exploited Against FortiGate Firewalls (CVE-2026-24858)

Scope: FortiOS, FortiManager, FortiAnalyzer, FortiWeb, FortiProxy, FortiSwitch Manager (FortiCloud SSO-Enabled Devices)

Severity: Red

CISA and Fortinet confirmed active exploitation of CVE-2026-24858 (CVSS 9.4), an authentication bypass that allows an attacker with any valid FortiCloud account and a registered device to log into other devices registered to different accounts when FortiCloud SSO authentication is enabled, even on FortiGate firewalls that were already fully patched against the earlier related flaws CVE-2025-59718 and CVE-2025-59719. Arctic Wolf documented an automated attack cluster active since January 2026 that, once inside, creates new local administrator accounts for persistent access, enables VPN access for those rogue accounts, and exfiltrates full firewall configuration files, giving attackers a complete blueprint of network topology, NAT rules, and VPN settings. Organizations running FortiGate, FortiManager, or FortiAnalyzer should immediately verify whether FortiCloud SSO is enabled (it is not on by default), disable it via the GUI or CLI as an interim measure if not strictly required, apply Fortinet's available patches without delay, and audit for unauthorized local admin accounts, unexpected VPN configuration changes, and any unauthorized configuration exports.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.