Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858)
Detects exploitation of CVE-2026-24858, an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products. Attackers abuse an alternate authentication path or channel — specifically SSO abuse on FortiOS — to bypass normal authentication controls and gain unauthorized access. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Fortinet
- Product
- Multiple Products
Weakness (CWE)
Timeline
- Disclosed
- January 27, 2026
CVSS
What is CVE-2026-24858 Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858)?
Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858) (CVE-2026-24858) maps to the Initial Access and Persistence and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858), covering the data sources and telemetry it touches: CommonSecurityLog, Fortinet Firewall Logs, Syslog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let timeframe = 24h;
let SuspiciousFortinetAuth = CommonSecurityLog
| where TimeGenerated >= ago(timeframe)
| where DeviceVendor =~ "Fortinet"
| where Activity has_any ("sso", "saml", "oauth", "authentication", "login", "bypass")
| where (AdditionalExtensions has_any ("auth_method=sso", "auth_method=saml", "bypass", "alternate") or Message has_any ("SSO", "SAML", "alternate path", "auth bypass", "unauthenticated"))
| extend SourceIP = coalesce(SourceIP, DeviceAddress)
| project TimeGenerated, DeviceName, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, Activity, Message, AdditionalExtensions, LogSeverity;
let AdminActions = CommonSecurityLog
| where TimeGenerated >= ago(timeframe)
| where DeviceVendor =~ "Fortinet"
| where Activity has_any ("admin", "config", "privilege", "root", "super_admin")
| where LogSeverity in ("high", "critical", "error")
| extend SourceIP = coalesce(SourceIP, DeviceAddress)
| project TimeGenerated, DeviceName, SourceIP, Activity, Message, LogSeverity;
SuspiciousFortinetAuth
| join kind=leftouter AdminActions on $left.SourceIP == $right.SourceIP
| summarize AuthEvents=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Activities=make_set(Activity), Messages=make_set(Message) by DeviceName, DeviceVendor, DeviceProduct, SourceIP
| where AuthEvents >= 1
| extend RiskScore = case(AuthEvents > 10, "High", AuthEvents > 3, "Medium", "Low")
| project FirstSeen, LastSeen, DeviceName, DeviceProduct, SourceIP, AuthEvents, Activities, Messages, RiskScore
| sort by AuthEvents descDetects suspicious authentication events on Fortinet devices consistent with SSO/SAML abuse or alternate authentication channel exploitation as described in CVE-2026-24858. Correlates authentication bypass indicators with subsequent privileged administrative actions.
Data Sources
Required Tables
False Positives
- Legitimate SSO/SAML authentication flows configured in the environment
- Scheduled administrative tasks authenticating via service accounts using alternate auth methods
- Penetration testing or red team exercises targeting Fortinet infrastructure
- Log format variations across Fortinet product versions causing keyword mismatch
Sigma rule & cross-platform mapping
The detection logic for Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858) (CVE-2026-24858) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-24858
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SSO Authentication Request to Fortinet Management Interface
Expected signal: HTTP request to /remote/logincheck with SSO/SAML parameters should appear in FortiGate authentication logs and in web proxy or network monitoring logs. Source IP, timestamp, and HTTP response code should be captured.
- Test 2Enumerate Fortinet Management Interface SSO Endpoints
Expected signal: Series of HTTPS connections to Fortinet management interface on TCP 443 from a single source IP targeting multiple URL paths in rapid succession. Should appear in web access logs and network flow data.
- Test 3Create Unauthorized Admin Account Post-Authentication-Bypass
Expected signal: FortiOS admin audit log should record a new admin account creation event with the account name 'svc_backup_acct', profile 'super_admin', and the API source IP. Event type=event, subtype=system, action=add should appear in FortiAnalyzer.
Unlock Pro Content
Get the full detection package for CVE-2026-24858 including response playbook, investigation guide, and atomic red team tests.