Threat actors are actively exploiting CVE‑2026‑24858 to log into FortiOS and other Fortinet products via FortiCloud SSO (when enabled), create persistent local admin accounts, and steal device configuration files. Review the Cybersecurity Threat Advisory now to protect you and your clients’ environments.
What is the threat?
CVE‑2026‑24858 is an authentication bypass vulnerability affecting multiple Fortinet products (FortiOS/FortiGate, FortiManager, FortiAnalyzer, FortiProxy). The flaw allows an attacker with a FortiCloud account and a registered device to authenticate into other organizations’ devices if FortiCloud SSO administrative login is enabled.
Although FortiCloud SSO is not enabled by default, it may be automatically enabled during device registration unless the “Allow administrative login using FortiCloud SSO” setting is manually disabled.
Why is it noteworthy?
This activity is significant because it abuses FortiCloud SSO as an alternate admin login path, giving attackers remote administrative access without needing the victim organization’s credentials—as long as FortiCloud SSO was enabled.
Once inside, attackers have been seen:
- Creating local admin accounts to maintain access
- Exfiltrating configuration data that contains reversibly encrypted credentials (e.g., LDAP/Active Directory service accounts)
- Quickly pivoting from the firewall into internal systems
The risk is heightened by the fact that some organizations may have unintentionally enabled FortiCloud SSO during setup.
What is the exposure or risk?
If exploited, attackers can gain full administrative control of Fortinet perimeter devices. With this level of access, they can:
- Create new admin users and maintain long‑term persistence
- Modify firewall rules and security policies
- Export complete configuration files
- Extract and decrypt service account credentials stored in FortiOS
- Authenticate to internal systems, deploy management tools, join rogue devices to the domain, and access or exfiltrate sensitive data
A firewall compromise of this type can rapidly escalate from perimeter access to broad internal network compromise.
What are the recommendations?
Barracuda strongly recommends taking the following actions to mitigate risk:
- Upgrade all affected FortiOS/FortiGate, FortiProxy, FortiManager, and FortiAnalyzer systems to the vendor‑fixed versions for CVE‑2026‑24858.
- Restrict management interfaces to trusted internal networks or VPN-only access. Disable “Allow administrative login using FortiCloud SSO” unless absolutely required.
- Rotate any credentials potentially exposed via downloaded configurations—especially LDAP/AD service accounts.
- Preserve logs and configuration history. Review for unexpected admin logins, new local admin accounts, or configuration exports. If confirmed, restore known‑good firmware/configurations and remove unauthorized changes.
- Centralize Fortinet logs in SIEM/syslog. Retain logs for at least 14 days (preferably 60–90) to support investigation and scoping.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.