(TLP:CLEAR) WaterISAC Advisory – Critical Vulnerability: Actively Exploited FortiCloud SSO Authentication Bypass Vulnerability (CVSS 9.4)

ACTION MAY BE REQUIRED for utilities using Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. See mitigation guidance below. Utilities that outsource technology support may need to consult with their service providers for assistance with remediation actions.

Summary: This week, Fortinet published a security advisory to disclose an actively exploited critical vulnerability impacting several of its products. The FortiCloud single sign-on (SSO) authentication bypass vulnerability is tracked as CVE-2026-24858. Successful exploitation may allow an attacker to exploit FortiCloud SSO to gain administrative access to FortiOS, FortiManager, FortiProxy, and FortiAnalyzer devices registered to other customers, even if those devices are fully patched against previously disclosed vulnerabilities. Fortinet has blocked FortiCloud SSO connections from devices running vulnerable firmware versions to mitigate the zero-day attacks. CISA also published an alert titled “Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858.”

Mitigation Recommendations: Fortinet advises users to update the affected products to patched versions. A list of all affected products can be found on Fortinet’s advisory. WaterISAC urges members to review the advisory and implement Fortinet’s suggested actions. If you are unable to update, Fortinet has included a workaround. Additionally, members are highly encouraged to remain alert to additional updates from Fortinet, which has stated that additional patches for most of the affected versions remain upcoming. Fortinet has also shared a list of indicators of compromise (IOCs).

Original Sources: https://www.fortiguard.com/psirt/FG-IR-26-060

Additional Reading:

• Critical FortiCloud SSO zero‑day forces emergency service disablement at Fortinet
• Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858

Related WaterISAC PIRs: 6, 8, 10, 12