Critical Fortinet Authentication Bypass Allows Access to Other Customers' Devices (CVE-2026-24858)

Fortinet has disclosed a critical authentication bypass vulnerability affecting FortiOS, FortiManager, and FortiAnalyzer that allows attackers with a FortiCloud account to access devices registered to other customers' accounts. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

The flaw, tracked as CVE-2026-24858, carries a CVSS severity score of 9.8 and affects organizations using FortiCloud single sign-on authentication across their Fortinet infrastructure.

Cross-Account Device Access

The vulnerability stems from an authentication bypass using an alternate path or channel weakness. An attacker who possesses a valid FortiCloud account and at least one registered device can exploit the flaw to log into devices registered to entirely different accounts, provided those target devices have FortiCloud SSO authentication enabled.

This cross-tenant access vulnerability is particularly severe because it breaks the fundamental isolation between customer environments. Attackers do not need credentials for the target organization — only their own valid FortiCloud account and a registered device to initiate the attack.

Extensive Product Impact

The vulnerability affects multiple versions across three major Fortinet product lines:

FortiAnalyzer versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15 are affected.

FortiManager versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15 are affected.

FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18 are affected.

The broad version coverage spanning multiple major releases indicates the vulnerability has existed in Fortinet's codebase for an extended period.

Active Exploitation Confirmed

CISA's addition of CVE-2026-24858 to the Known Exploited Vulnerabilities catalog confirms the flaw is being actively exploited by threat actors. Federal agencies are required to apply mitigations according to CISA's binding operational directive timelines.

Fortinet has published technical analysis of the SSO abuse mechanism on its PSIRT blog, providing additional details on how attackers are leveraging the vulnerability.

Immediate Action Required

Organizations using FortiCloud SSO authentication should apply patches immediately. Given the critical severity rating and confirmed active exploitation, this vulnerability should be treated as a priority remediation item.

As a temporary mitigation, organizations unable to patch immediately should consider disabling FortiCloud SSO authentication until updates can be applied. Security teams should review logs for any unauthorized access attempts that may indicate prior exploitation.

Organizations should also audit which devices have FortiCloud SSO enabled and verify that no unauthorized access has occurred to their Fortinet infrastructure.