Fortinet has started releasing patched FortiOS versions a critical zero-day vulnerability that allowed attackers to log into targeted organizations’ FortiGate firewalls.
The company said the flaw (CVE-2026-24858) was actively exploited in the wild by two malicious FortiCloud accounts, which were disabled on January 22, 2026. The disclosure follows reports from several Fortinet customers on January 20, who revealed that attackers had gained access to their FortiGate devices and created new local administrator accounts, even though the firewalls were running the latest FortiOS versions at the time.
Those versions already included fixes for the previously exploited authentication bypass vulnerability (CVE-2025-59718). Some affected users initially suspected that CVE-2025-59718 had not been fully patched. Fortinet has since clarified that the incidents were caused by a separate issue (CVE-2026-24858).
CVE-2026-24858 is described as an improper verification of cryptographic signature. It could allow an attacker with a FortiCloud account and a registered device to log into other devices registered under different accounts, provided FortiCloud single sign-on (SSO) authentication is enabled.
The vulnerability affects FortiOS, which runs on Fortinet firewalls, as well as FortiAnalyzer and FortiManager. As with CVE-2025-59718, exploitation is only possible on systems with FortiCloud SSO enabled.
Fortinet has fixed the issue in FortiOS 7.4.11, with patched versions of FortiOS, FortiManager, and FortiAnalyzer expected to be released shortly. Organizations are strongly advised to upgrade as soon as fixes become available.