好的,我现在需要帮用户总结一篇文章,控制在100字以内。首先,我得仔细阅读文章内容,抓住主要信息。 文章讲的是Fortinet修复了一个被积极利用的漏洞CVE-2026-24858,影响了FortiOS、FortiManager和FortiAnalyzer。这个漏洞允许攻击者绕过SSO认证,CVSS评分9.4,属于严重级别。Fortinet已经发布了补丁,并且正在调查是否还有其他产品受到影响。 另外,文章提到攻击者利用了恶意的FortiCloud账户,导致设备被入侵。Fortinet还提到了之前类似的情况,在2025年也发生过类似的漏洞被利用的情况。 总结的时候要包括:漏洞名称、影响的产品、漏洞的严重性、修复措施以及攻击的影响。同时要控制在100字以内,所以需要简洁明了。 可能的结构是:Fortinet修复了被积极利用的高危漏洞CVE-2026-24858,影响多个产品;该漏洞允许攻击者绕过SSO认证;公司已发布补丁,并调查其他产品;攻击者利用恶意账户入侵设备。 现在把这些信息浓缩成100字以内的句子。 </think> Fortinet修复了被积极利用的高危漏洞CVE-2026-24858,影响FortiOS、FortiManager和FortiAnalyzer。该漏洞允许攻击者绕过SSO认证,默认情况下未启用。公司已发布补丁,并调查其他产品是否受影响。攻击者利用恶意 FortiCloud 账户入侵设备。 2026-1-28 15:53:0 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
Fortinet patches actively exploited FortiOS SSO auth bypass (CVE-2026-24858)
Fortinet released fixes for a critical FortiOS SSO auth bypass (CVE-2026-24858) actively exploited, impacting FortiOS, FortiManager, and FortiAnalyzer.
Fortinet started rolling out patches for a critical FortiOS flaw under active attack. The bug, CVE-2026-24858 (CVSS score of 9.4), lets attackers bypass authentication via SSO. It affects FortiOS, FortiManager, and FortiAnalyzer, while Fortinet checks if other products are impacted.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.” reads the advisory. “Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch “Allow administrative login using FortiCloud SSO” in the registration page, FortiCloud SSO login is enabled upon registration.”
The company pointed out that FortiCloud SSO login is disabled by default. It only activates when an admin registers the device to FortiCare via the GUI or explicitly enables the FortiCloud SSO admin login option.
The cybersecurity vendor confirmed the flaw was exploited by two malicious FortiCloud accounts, blocked on Jan 22, 2026. To stop abuse, FortiCloud SSO was disabled on Jan 26, then re-enabled on Jan 27. SSO now blocks vulnerable versions, forcing customers to upgrade to supported releases to continue using FortiCloud SSO authentication.
The company is still investigating if other solutions, such as FortiWeb and FortiSwitch Manager are impacted by the vulnerability.
Fortinet provided a workaround stating that FortiCloud SSO no longer allows logins from devices running vulnerable versions, so disabling SSO on the client side is not strictly required. However, as an extra precaution, administrators can manually disable FortiCloud SSO on FortiOS, FortiProxy, FortiManager, and FortiAnalyzer via the GUI or CLI until systems are fully patched.
Last week, Fortinet confirmed attacks bypass FortiCloud SSO on fully patched devices. Threat actors automate firewall changes, add users, enable VPNs, and steal configs, in campaigns resembling December 2025 exploits of critical FortiCloud SSO flaws.
Arctic Wolf researchers reported a new automated attack cluster observed since January 15, 2026, targeting FortiGate devices. Attackers created generic accounts for persistence, enabled VPN access, and exfiltrated firewall configurations. The activity resembles a December 2025 campaign involving admin SSO logins and config theft. Arctic Wolf has detections in place and is monitoring the evolving threat.
In December 2025, Fortinet disclosed two critical SSO authentication bypass flaws, tracked as CVE-2025-59718 and CVE-2025-59719, which are improper verification of cryptographic signature issues.
Threat actors started exploiting the two critical flaws in Fortinet products days after patch release, Arctic Wolf warned.
Arctic Wolf researchers observed attackers began exploiting critical Fortinet authentication bypass flaws on December 12, just three days after patches were issued. The attacks involved malicious SSO logins on FortiGate devices, mainly targeting admin accounts from multiple hosting providers. After gaining access, the attackers exported device configurations via the GUI. These files include hashed credentials, which threat actors can attempt to crack offline, increasing the risk of further compromise.
Recent intrusions show malicious SSO logins from a small set of hosting providers, often targeting the [email protected] account. After successful SSO access, attackers quickly exported firewall configurations via the GUI and created secondary admin accounts for persistence. These actions occurred within seconds, suggesting highly automated activity.
Fortinet confirmed that attacks succeeded even against devices patched for CVE-2025-59718 and CVE-2025-59719. The company identified a new attack path after observing login exploits on fully updated devices. A fix is in progress, an advisory is pending, and all SAML SSO implementations may be affected.
“Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue. However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.” reads the advisory published by the company.
“Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet)
如有侵权请联系:admin#unsafe.sh