CVE-2026-24858

CRITICAL KEV

Fortinet FortiAnalyzer 7.0.0-7.0.15, 7.2.0-7.2.11, 7.4.0-7.4.9, 7.6.0-7.6.5 - Authentication Bypass via FortiCloud SSO

Title source: llm

Exploitation Summary

CVE-2026-24858 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 27, 2026. EIP tracks 6 public exploits from researchers including XiaomingX, absholi7ly, gagaltotal.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-24858, targeting FortiCloud SSO identity management via a temporal vulnerability in the SAML state machine. The exploit uses fluid dynamics principles to synchronize a low-privilege account with an administrator session.

Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Exploits (6)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-24858

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-24858, targeting FortiCloud SSO identity management via a temporal vulnerability in the SAML state machine. The exploit uses fluid dynamics principles to synchronize a low-privilege account with an administrator session.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Complex

Reliability

Theoretical

Target: FortiCloud SSO

Auth required

Prerequisites: valid FortiCloud account · registered dummy device · attacker token

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 2 stars

by absholi7ly · poc

https://github.com/absholi7ly/CVE-2026-24858-FortiCloud-SSO-Authentication-Bypass

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability in FortiCloud SSO, allowing an attacker with a valid FortiCloud account to reuse their SSO token to gain unauthorized access to other customers' FortiGate/FortiManager/FortiAnalyzer appliances. Successful exploitation grants full admin GUI access and a root shell.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: FortiCloud SSO (FortiOS 7.0.0–7.0.18, 7.2.0–7.2.12, 7.4.0–7.4.10, 7.6.0–7.6.5; FortiManager 7.0.0–7.0.10, 7.2.0–7.2.5, 7.4.0–7.4.9; FortiAnalyzer same ranges)

Auth required

Prerequisites: A valid FortiCloud account (free or paid) · Network access to the target appliance

MITRE ATT&CK

T1550 - Use Alternate Authentication Material T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by gagaltotal · poc

https://github.com/gagaltotal/cve-2026-24858

View Code ZIP pw:eip

This repository contains a Python-based PoC for CVE-2026-24858, an administrative FortiCloud SSO authentication bypass vulnerability. It includes both a scanner to detect Fortinet web management indicators and an optional exploit sender that requires explicit enabling via a flag.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiCloud SSO

No auth needed

Prerequisites: Network access to the target FortiCloud SSO interface · Python environment with required dependencies

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by SimoesCTT · poc

https://github.com/SimoesCTT/SCTT-2026-33-0004-FortiCloud-SSO-Identity-Singularity

View Code ZIP pw:eip

This PoC exploits a temporal vulnerability in FortiCloud's SAML state machine (CVE-2026-24858) by synchronizing a low-privilege account with an admin session through 33-layered resonance attacks, achieving privilege escalation via identity collision.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Complex

Reliability

Theoretical

Target: FortiCloud SSO (post-January 2026 patch)

Auth required

Prerequisites: Valid FortiCloud account · Registered dummy device · Target URL and attacker token

MITRE ATT&CK

T1550.002 - Pass the Hash T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by SimoesCTT · poc

https://github.com/SimoesCTT/-CTT-NSP-Convergent-Time-Theory---Network-Stack-Projection-CVE-2026-24858-

View Code ZIP pw:eip

This PoC implements a novel network stack projection attack using fluid dynamics principles (CTT-Navier-Stokes mapping) to decompose and deliver payloads across temporal layers. It employs energy cascade techniques and prime resonance timing to evade detection.

Classification

Working Poc 85%

Attack Type

Other

Complexity

Complex

Reliability

Theoretical

Target: Unknown (CTT-NSP Convergent Time Theory - Network Stack Projection)

No auth needed

Prerequisites: Network access to target · Python environment with required libraries

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1027 - Obfuscated Files or Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by m0d0ri205 · poc

https://github.com/m0d0ri205/CVE-2026-24858

View Code ZIP pw:eip

This is a detailed writeup analyzing CVE-2026-24858, a critical authentication bypass vulnerability in Fortinet FortiCloud SSO. The document provides technical details, affected versions, CVSS scoring, and real-world attack scenarios.

Classification

Writeup 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiOS, FortiProxy, FortiPAM, FortiSwitchManager

No auth needed

Prerequisites: FortiCloud SSO enabled · Management interface exposed to the internet · Vulnerable firmware version

MITRE ATT&CK

T1550.001 - Application Access Token

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory

https://fortiguard.fortinet.com/psirt/FG-IR-26-060

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858

Mitigation, Vendor Advisory

https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios

Vendor Advisory

https://cert-portal.siemens.com/productcert/html/ssa-975644.html

Scores

CVSS v3 9.8

EPSS 0.0395

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2026-01-27

VulnCheck KEV 2026-01-27

ENISA EUVD EUVD-2026-4712

CWE

CWE-288

Status published

Products (27)

fortinet/fortianalyzer 7.0.0 - 7.0.15

Fortinet/FortiAnalyzer 7.0.0 - 7.0.15

Fortinet/FortiAnalyzer 7.2.0 - 7.2.11

Fortinet/FortiAnalyzer 7.4.0 - 7.4.9

Fortinet/FortiAnalyzer 7.6.0 - 7.6.5

fortinet/fortimanager 7.0.0 - 7.0.15

Fortinet/FortiManager 7.0.0 - 7.0.15

Fortinet/FortiManager 7.2.0 - 7.2.11

Fortinet/FortiManager 7.4.0 - 7.4.9

Fortinet/FortiManager 7.6.0 - 7.6.5

... and 17 more

Published Jan 27, 2026

KEV Added Jan 27, 2026

Tracked Since Feb 18, 2026