Imagine waking up to the news that a critical security flaw in a widely-used network operating system is being actively exploited in the wild. That's exactly what happened when Fortinet, a leading cybersecurity firm, discovered that a vulnerability in its FortiOS system was under attack. But here's where it gets controversial: while the company has released patches, the exploitation has already led to significant breaches, raising questions about the speed of response and the broader implications for network security.
Fortinet has begun rolling out security updates to address CVE-2026-24858, a critical authentication bypass vulnerability in FortiOS, FortiManager, and FortiAnalyzer. This flaw, with a CVSS score of 9.4, allows an attacker with a FortiCloud account and a registered device to log into other devices registered to different accounts, provided FortiCloud Single Sign-On (SSO) is enabled. And this is the part most people miss: the FortiCloud SSO feature is not enabled by default; it only activates when an administrator registers the device to FortiCare via the device's GUI, unless they explicitly disable the 'Allow administrative login using FortiCloud SSO' option.
The issue came to light after Fortinet confirmed that unknown threat actors were exploiting a 'new attack path' to gain SSO logins without authentication. These attackers used this access to create local admin accounts, modify configurations to grant VPN access, and exfiltrate firewall settings. Over the past week, Fortinet took several steps to mitigate the threat, including locking out two malicious FortiCloud accounts, temporarily disabling FortiCloud SSO, and re-enabling it with restrictions on vulnerable versions.
Here’s the kicker: to restore FortiCloud SSO functionality, customers must upgrade to the latest software versions. Fortinet also advises users who suspect compromise to treat their devices as breached and take immediate actions, such as updating firmware, restoring clean configurations, and rotating credentials, including LDAP/AD accounts linked to FortiGate devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issue by January 30, 2026. This move underscores the severity of the vulnerability and the urgency of patching systems.
Now, here’s a thought-provoking question: Given the rapid exploitation of this vulnerability, should cybersecurity firms like Fortinet be held to stricter timelines for disclosing and patching critical flaws? Or is the responsibility on organizations to stay vigilant and update their systems promptly? Let us know your thoughts in the comments below.
If you found this article insightful, don't miss out on our exclusive content. Follow us on Google News, Twitter, and LinkedIn to stay updated on the latest in cybersecurity.
