Ethical Hacking News
Fortinet patches critical FortiOS SSO auth bypass vulnerability (CVE-2026-24858) to prevent malicious SSO logins. The company has released fixes for the bug, which allows attackers to bypass authentication via SSO on affected devices. Follow us for more updates and security news. @securityaffairs
Fortinet released patches for CVE-2026-24858, a critical FortiOS SSO authentication bypass vulnerability. The vulnerability allows attackers to bypass authentication via SSO and affects FortiOS, FortiManager, and FortiAnalyzer devices. The bug was actively exploited by malicious actors, who gained unauthorized access to these devices. Fortinet recommends disabling SSO on the client side or manually disabling FortiCloud SSO until systems are fully patched. The attackers used automation to carry out malicious activities such as adding users, enabling VPNs, and stealing firewall configurations.
Fortinet has released patches for a critical FortiOS SSO authentication bypass vulnerability, CVE-2026-24858. This vulnerability allows attackers to bypass authentication via SSO, and it affects FortiOS, FortiManager, and FortiAnalyzer devices. The bug was actively exploited by malicious actors, who took advantage of the vulnerability to gain unauthorized access to these devices.
According to the context data provided, the FortiOS SSO authentication bypass vulnerability is a critical issue that can be exploited by attackers to log into other devices registered to different accounts. This vulnerability is caused by an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in FortiOS, FortiManager, and FortiAnalyzer.
The vulnerability was first identified by Arctic Wolf researchers, who observed a new automated attack cluster targeting FortiGate devices. The attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations. This activity resembles previous campaigns involving admin SSO logins and config theft.
Fortinet has confirmed that the attacks succeeded even against devices patched for CVE-2025-59718 and CVE-2025-59719. However, further investigation revealed a new attack path, which suggests that the vulnerability was exploited on fully updated devices. A fix is currently in progress, and an advisory is pending.
The company advises all SAML SSO implementations to be affected by this issue, as the same authentication bypass mechanism can be used to exploit these products. Fortinet product security has identified the issue and is working on a fix to remediate this occurrence. An advisory will be issued as soon as the fix scope and timeline are available.
To mitigate the risk of exploitation, Fortinet recommends disabling SSO on the client side or manually disabling FortiCloud SSO on FortiOS, FortiProxy, FortiManager, and FortiAnalyzer devices until systems are fully patched.
Furthermore, the attackers used the vulnerability to automate various malicious activities such as adding users, enabling VPNs, and stealing firewall configurations. These actions were carried out within seconds, indicating highly automated activity.
The company has taken steps to prevent the exploitation of this vulnerability by issuing a patch and advising customers to take precautions against SSO authentication bypass attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-Patches-Critical-FortiOS-SSO-Auth-Bypass-Vulnerability-CVE-2026-24858-to-Prevent-Malicious-SSO-Logins-ehn.shtml
Published: Wed Jan 28 10:18:02 2026 by llama3.2 3B Q4_K_M
