CVE-2026-24858

Name of the Vulnerable Software and Affected Versions FortiAnalyzer versions 7.6.0 through 7.6.5 FortiAnalyzer versions 7.4.0 through 7.4.9 FortiAnalyzer versions 7.2.0 through 7.2.11 FortiAnalyzer versions 7.0.0 through 7.0.15 FortiManager versions 7.6.0 through 7.6.5 FortiManager versions 7.4.0 through 7.4.9 FortiManager versions 7.2.0 through 7.2.11 FortiManager versions 7.0.0 through 7.0.15 FortiOS versions 7.6.0 through 7.6.5 FortiOS versions 7.4.0 through 7.4.10 FortiOS versions 7.2.0 through 7.2.12 FortiOS versions 7.0.0 through 7.0.18 FortiProxy versions 7.6.0 through 7.6.4 FortiProxy versions 7.4.0 through 7.4.12 FortiProxy versions 7.2.0 through 7.2.15 FortiProxy versions 7.0.0 through 7.0.22 FortiWeb versions 8.0.0 through 8.0.3 FortiWeb versions 7.6.0 through 7.6.6 FortiWeb versions 7.4.0 through 7.4.11

Description An authentication bypass flaw exists in the FortiCloud single sign-on (SSO) system. This issue allows an attacker possessing a FortiCloud account and a registered device to log into other devices registered to different accounts, provided that FortiCloud SSO authentication is enabled on those target devices. This flaw can be used to create unauthorized administrative accounts and gain administrative access to managed devices. The issue has been actively exploited by sophisticated threat actors, including the Chinese state-sponsored group Mustang Panda, to target critical infrastructure and technology sectors for data exfiltration and long-term access.

Recommendations Disable FortiCloud SSO for non-essential systems until a permanent patch is available. Enforce multi-factor authentication (MFA) for all administrative accounts. Monitor for unusual login activity, such as unexpected SSO connections or changes to user permissions.