Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Actively exploited 0-day critical vulnerability in FortiOS, FortiManager and FortiAnalyzer, Patch Immediately!
Image
Veröffentlicht : 28/01/2026
* Last update: 28/01/2026
* Affected products:
→ FortiOS, FortiManager, FortiAnalyzer* Type: Authentication bypass
* CVE/CVSS:
- CVE-2026-24858: CVSS 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Fortinet
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
Risks
Fortinet released an advisory about CVE-2026-24858, a 0-day vulnerability affecting FortiOS, FortiManager and FortiAnalyzer. Fortinet is currently investigating if this vulnerability also affects FortiWeb and FortiSwitch Manager (cut-off date: 28 January 2026).
This vulnerability can be exploited to allow remote attackers with a FortiCloud account and a registered device to log into other devices registered to other accounts. Remote attackers were seen creating admin accounts on targeted systems for persistence. This vulnerability has a high impact on confidentiality, integrity and availability.
Similar attacks leveraging the FortiCloud SSO login feature took place last December[1]. Fortinet devices are attractive targets to a variety of threat actors as a way to gain initial access into a network.
This vulnerability is actively exploited. It is a 0-day vulnerability which has been exploited at least weeks before Fortinet released its advisory. Threat actors were observed exploiting this vulnerability to download customer config files and to add admin accounts to ensure persistence.
Note that, in response to active exploitation, Fortinet no longer supports FortiCloud SSO authentication login from devices running vulnerable versions.
[1] https://www.securityweek.com/fortinet-patches-exploited-forticloud-sso-authentication-bypass/
Description
CVE-2026-24858 is an authentication bypass vulnerability affecting FortiOS, FortiManager and FortiAnalyzer. Fortinet is currently investigating if this vulnerability also affects FortiWeb and FortiSwitch Manager (cut-off date: 28 January 2026).
An attacker with a FortiCloud account and a registered device could exploit this vulnerability to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
The FortiCloud SSO login feature is not enabled by default. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch "Allow administrative login using FortiCloud SSO" in the registration page, FortiCloud SSO login is enabled upon registration.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Note that, in response to active exploitation, Fortinet no longer supports login from devices running vulnerable versions. Organisations must upgrade to the latest versions for the FortiCloud SSO authentication to work. As a result, there is no need to disable the FortiCloud SSO authentication feature on the client side as a workaround.
Mitigation actions
Due to active exploitation, Fortinet recommends additional mitigation actions in addition to patching:
- Restrict administrative access to only out of band access if possible.
- If restriction to out of band access is not possible, use local-in policies to restrict the IP addresses that are able to remotely access the administrative interface.
- Disable the FortiCloud SSO feature if this feature is not used. Keep in mind a third-party SSO system could still be abused, so this is recommended in conjunction with a local-in policy.
Consult Fortinet’s webpage for exact commands to run: https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
You can find Indicators of Compromise (IOCs) to look for signs of compromise. IOCs are available on this page (https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios) as well as via the CCB’s MISP instance: https://mispmaster.int.belbone.be/events/view/bcf94b25-4437-443f-8768-24f4a2d17f91 (the link will work only if your organisation is connected to the CCB’s MISP instance).
In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.