CVE-2026-24858 is a critical authentication bypass vulnerability (CVSS 9.4) impacting Fortinet's FortiOS, FortiManager, and FortiAnalyzer platforms, specifically targeting the FortiCloud Single Sign-On (SSO) feature. The vulnerability arises from an alternate authentication path that allows an attacker possessing a FortiCloud account and a registered device to bypass normal authentication controls and gain unauthorized access to other devices registered under different accounts. This flaw exploits the FortiCloud SSO mechanism, which is not enabled by default but can be activated by administrators via the device GUI when registering devices to FortiCare and toggling the administrative login option. Exploitation enables attackers to create local administrator accounts, modify firewall configurations to grant VPN access, and exfiltrate firewall configurations, thereby compromising confidentiality, integrity, and availability of network security controls. Fortinet detected active exploitation by unidentified threat actors who abused this new attack vector to maintain persistence and control over affected devices. In response, Fortinet locked out malicious FortiCloud accounts, temporarily disabled FortiCloud SSO, and mandated firmware upgrades to restore secure operation. The vulnerability also potentially affects FortiWeb and FortiSwitch Manager, with investigations ongoing. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate promptly. The attack requires possession of a FortiCloud account and a registered device, but no additional authentication or user interaction is needed once these conditions are met. This vulnerability poses a severe risk to organizations relying on Fortinet's network security products, especially where FortiCloud SSO is enabled.

For European organizations, the impact of CVE-2026-24858 is substantial. Fortinet products are widely deployed across Europe in enterprises, government agencies, and critical infrastructure sectors such as energy, finance, and telecommunications. Successful exploitation can lead to unauthorized administrative access, enabling attackers to alter firewall rules, create persistent backdoors, and exfiltrate sensitive network configurations. This compromises network security posture, potentially allowing lateral movement, data breaches, and disruption of services. The ability to bypass authentication without user interaction or additional credentials increases the risk of stealthy, persistent intrusions. Organizations with FortiCloud SSO enabled are particularly vulnerable, and those unaware of the feature's activation may not have taken adequate precautions. The breach of firewall configurations can also undermine compliance with European data protection regulations such as GDPR, exposing organizations to legal and financial penalties. Furthermore, the geopolitical climate and increasing cyber espionage targeting European critical infrastructure heighten the threat's relevance. The disruption or compromise of network security devices could have cascading effects on business continuity and national security.

European organizations should immediately verify whether FortiCloud SSO is enabled on their Fortinet devices and disable it if not required. They must promptly apply the latest Fortinet firmware updates that address CVE-2026-24858 to eliminate the vulnerability. Conduct a thorough audit of firewall configurations and logs to detect unauthorized changes or newly created administrative accounts. Restore device configurations from known clean backups where possible to remove any persistent backdoors. Rotate all credentials associated with Fortinet devices, including LDAP/Active Directory accounts integrated with FortiGate appliances, to prevent credential reuse by attackers. Implement network segmentation to limit access to management interfaces and FortiCloud services. Monitor Fortinet device logs and network traffic for anomalous activity indicative of exploitation attempts. Engage in threat hunting exercises focused on Fortinet products and FortiCloud SSO usage. Establish strict access controls and multi-factor authentication for Fortinet management consoles where supported. Finally, maintain close coordination with Fortinet support and cybersecurity authorities for updates and incident response guidance.