CVE-2026-24858: The Fortinet Patch That Wasn't

Organisations running the latest FortiOS firmware, fully patched against December's critical SSO bypass, still got compromised in January. On January 26, Fortinet took the unusual step of disabling FortiCloud SSO entirely to stop the bleeding. The vulnerability now tracked as CVE-2026-24858 carries a CVSS score of 9.4 and landed on CISA's Known Exploited Vulnerabilities catalog within 24 hours of disclosure.

This is not a story about organisations failing to patch. It is a story about why patching alone was not enough.

Get threat intelligence like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.

What Makes CVE-2026-24858 Different

Most CVE coverage follows a familiar pattern: vulnerability disclosed, patch released, race to remediate. CVE-2026-24858 breaks that pattern in three ways that matter to security teams.

Patched devices were not safe. Fortinet released patches for CVE-2025-59718 and CVE-2025-59719 on December 9, 2025. Administrators who applied those patches believed they had closed the door. They had not. When attacks resumed in mid-January, Fortinet confirmed that a separate vulnerability, an alternate authentication path, remained exploitable even on fully updated systems.

FortiCloud SSO enables automatically. The vulnerable feature is not enabled by default in factory settings. However, when an administrator registers a device with FortiCare through the GUI, FortiCloud SSO turns on unless they explicitly disable the toggle. Many administrators never notice.

Attacks are fully automated. Arctic Wolf, the security firm that first detected the January campaign, reported that attackers executed complete compromise chains in seconds. Login via SSO, export the device configuration, create a backdoor admin account, configure VPN access. No human hands on keyboard required.

The combination means that even security-conscious organisations following vendor guidance found themselves compromised.

How the Attack Works

CVE-2026-24858 is an authentication bypass using an alternate path or channel (CWE-288). An attacker with any FortiCloud account and a registered device can authenticate to other customers' devices if FortiCloud SSO is enabled on those targets.

The flaw affects FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. FortiManager Cloud, FortiAnalyzer Cloud, and FortiGate Cloud are not impacted. Organisations using third-party identity providers for SAML SSO instead of FortiCloud are also unaffected.

Fortinet identified the vulnerability while investigating why devices running the latest firmware were still being breached. The company locked out the two malicious FortiCloud accounts on January 22, disabled FortiCloud SSO entirely on January 26, and issued the formal advisory on January 27.

The attack chain observed by Arctic Wolf follows a consistent pattern:

1. Attacker authenticates via FortiCloud SSO using a malicious account
2. Downloads the full device configuration through the GUI
3. Creates a local admin account for persistence
4. Configures VPN access for future entry

The stolen configuration files contain hashed credentials and internal network details. Even if the initial access is remediated, attackers walk away with a map of the target environment.

Indicators of Compromise

Fortinet and Arctic Wolf have published concrete IOCs. Security teams should check logs and account lists against these indicators.

Malicious SSO accounts observed:

• [email protected]
• [email protected]

Attacker IP addresses:

• 104.28.244.115
• 104.28.212.114
• 37.1.209.19
• 217.119.139.50

Fortinet notes that attackers have begun using Cloudflare-protected IPs, so these addresses may shift.

Persistence account names to audit:

audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, sv

Any unexpected administrator account warrants investigation. Attackers varied their naming through the campaign, so review all admin accounts rather than searching only for known names.

Example log pattern (from Fortinet PSIRT):

Fortinet provided this template showing what a malicious SSO login looks like in logs. Search for the IOC values (user, srcip) in your event logs:

logid="0100032001" type="event" subtype="system" 
logdesc="Admin login successful" user="[email protected]" 
ui="sso(104.28.244.115)" method="sso" srcip=104.28.244.115 
action="login" status="success" profile="super_admin"

The key fields to search: method="sso" combined with the malicious email addresses or IP addresses listed above, note these will change.

What to Do Now

1. Upgrade immediately. FortiOS 7.6.6 and 7.4.11 are now available. Additional patched versions for FortiManager and FortiAnalyzer are releasing shortly. Fortinet's server-side mitigation blocks exploitation from unpatched devices, but upgrading is required to restore FortiCloud SSO functionality.

2. Audit all administrator accounts. Look for any of the persistence account names listed above. If you find unexpected accounts, treat the device as compromised.

3. Check for configuration exports. Review logs for GUI-based configuration downloads from unexpected IP addresses or during unusual hours.

4. Rotate credentials if compromised. This includes local accounts, any LDAP or Active Directory accounts connected to the device, and VPN credentials that may have been exposed in exported configs.

5. Restore from a known-clean backup. Do not trust a potentially compromised configuration. Rebuild from a backup predating the attack window.

6. Restrict management interface access. Admin interfaces should not be exposed to the internet. Use local-in policies or out-of-band management. This is the mitigation that would have prevented exploitation regardless of patch status.

The Exposure Picture

Shadowserver tracked over 26,000 Fortinet devices with FortiCloud SSO enabled in late December 2025. That number has dropped below 10,000 as of January 29, likely driven by organisations disabling SSO after the attacks became public.

CISA added CVE-2026-24858 to the Known Exploited Vulnerabilities catalog on January 27, with a remediation deadline of January 30 for federal agencies.

Why This Matters Beyond the Patch

The organisations hit by CVE-2026-24858 did the right thing. They patched in December. They ran current firmware. They followed vendor guidance. They still got owned because a second vulnerability existed in the same attack surface that Fortinet had not yet discovered.

Point-in-time patching assumes you know about every vulnerability. Attackers found an alternate path before the vendor did. This is not a failure of patching discipline. It is a limitation of the patching model itself.

Continuous exposure management addresses this gap by treating vulnerability remediation as one input among many, not the entire strategy. If your security programme relies on patch status as the primary measure of risk, incidents like CVE-2026-24858 will keep surprising you. For a deeper look at moving beyond reactive vulnerability management, see our guide to NIST-Aligned CTEM: Moving Beyond Point-in-Time Scanning.

Summary

CVE-2026-24858 is a reminder that diligent patching can still leave gaps. Fortinet customers who followed best practices in December faced compromise in January because an alternate attack path existed that no one knew about yet. The automated nature of the attacks, the default-on behaviour of FortiCloud SSO during registration, and the value of stolen configuration files made this vulnerability particularly effective.

If your FortiGate devices have FortiCloud SSO enabled, audit your admin accounts, check for IOCs, and upgrade. If you find evidence of compromise, treat the device and its configuration as burned.

This incident is unlikely to be the last SSO-related vulnerability in edge network devices. Subscribers get notified when critical vulnerabilities drop, plus weekly practical security content. No sales pitches, no fluff.

Last updated: January 29, 2026

References and Sources

1. Carl Windsor's blog post with IOCs: https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
2. Fortinet Advisory (FG-IR-26-060): https://fortiguard.fortinet.com/psirt/FG-IR-26-060
3. CISA. (2026). Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858. January 28, 2026.
4. Arctic Wolf Labs. (2026). Arctic Wolf Observes Malicious Configuration Changes on Fortinet FortiGate Devices via SSO Accounts. January 21, 2026.
5. Shadowserver Foundation. (2026). Device identification reporting for Fortinet FortiCloud SSO exposure. January 2026.