FortiOS SSO authentication bypass (CVE-2026-24858)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-24858 is a critical FortiOS authentication bypass affecting FortiOS, FortiManager, and FortiAnalyzer, and it is being actively exploited in the wild. The flaw can let an attacker with a FortiCloud account and a registered device log into other devices when FortiCloud SSO is enabled. That abuse can enable local admin persistence, VPN access changes, and firewall configuration exfiltration. Fortinet has started releasing security updates in response, and CISA has added the issue to KEV with a January 30, 2026 remediation deadline for FCEB agencies.
Related Happenings
PAN-OS User-ID Authentication Portal mitigation guidance (CVE-2026-0300)
Advisory/Mitigation
First: 06.05.2026 09:14
Last: 06.05.2026 09:14
Sources 1
About this happening:
Palo Alto Networks issued **mitigation guidance** for **CVE-2026-0300** after the **PAN-OS User-ID Authentication Portal** flaw was reported **exploited in the wild**, leaving pub...
PAN-OS User-ID Authentication Portal mitigation guidance (CVE-2026-0300)
Advisory/MitigationAbout this happening: Palo Alto Networks issued **mitigation guidance** for **CVE-2026-0300** after the **PAN-OS User-ID Authentication Portal** flaw was reported **exploited in the wild**, leaving pub...
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityAbout this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)
Vulnerability
First: 30.03.2026 10:48
Last: 30.03.2026 10:48
Sources 1
About this happening:
Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...
Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)
VulnerabilityAbout this happening: Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...
US Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 26-03 for Federal civilian executive branch systems remediation and reporting deadlines through
Public Sector Action
First: 12.03.2026 14:45
Last: 12.03.2026 14:45
Sources 1
About this happening:
CISA issued **Emergency Directive 26-03** after warning that attackers are actively exploiting **Cisco Catalyst SD-WAN** vulnerabilities across **US federal networks**. The direct...
US Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 26-03 for Federal civilian executive branch systems remediation and reporting deadlines through
Public Sector ActionAbout this happening: CISA issued **Emergency Directive 26-03** after warning that attackers are actively exploiting **Cisco Catalyst SD-WAN** vulnerabilities across **US federal networks**. The direct...
Timeline
-
10.03.2026 18:21 1 articles · 2mo ago
FortiGate exploitation uses CVE-2026-24858
Exploitation ObservedSentinelOne said attackers are abusing FortiGate NGFW appliances through known vulnerabilities and weak credentials, including CVE-2026-24858, to steal configuration files and service account credentials from healthcare, government, and managed service provider environments.
Show sources
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials — thehackernews.com — 10.03.2026 18:21
-
28.01.2026 06:49 1 articles · 3mo ago
Malicious FortiCloud accounts locked out
Mitigation Patch UpdateFortinet locked out two malicious FortiCloud accounts, [email protected] and [email protected], after threat actors abused a new attack path to obtain FortiCloud SSO logins without authentication on affected devices.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 3mo ago
FortiCloud SSO disabled on FortiCloud side
Mitigation Patch UpdateFortinet disabled FortiCloud SSO on the FortiCloud side, cutting off the login path that had been abused to create local admin accounts, change VPN-related configuration, and exfiltrate firewall configurations.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 3mo ago
FortiCloud SSO re-enabled with vulnerable-version block
Mitigation Patch UpdateFortinet re-enabled FortiCloud SSO but blocked the feature on devices running vulnerable versions, requiring customers to upgrade to the latest software before FortiCloud SSO would function.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 2 articles · 3mo ago
CVE-2026-24858 disclosed as active FortiOS bypass
Initial DisclosureFortinet disclosed CVE-2026-24858, a CVSS 9.4 authentication bypass in FortiOS single sign-on that also affects FortiManager and FortiAnalyzer and may affect FortiWeb and FortiSwitch Manager; an attacker with a FortiCloud account and a registered device could log into other devices when FortiCloud SSO is enabled.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 3mo ago
CISA adds CVE-2026-24858 to KEV
Legal Policy Action UpdateCISA added CVE-2026-24858 to the Known Exploited Vulnerabilities catalog and required Federal Civilian Executive Branch agencies to remediate it by January 30, 2026.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49