CVE-2026-24858 Elastic Security · Elastic

Detect Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858) in Elastic Security

Detects exploitation of CVE-2026-24858, an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products. Attackers abuse an alternate authentication path or channel — specifically SSO abuse on FortiOS — to bypass normal authentication controls and gain unauthorized access. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Persistence Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip, host.name with maxspan=30m
  [network where event.category == "network" and
   (network.application in ("forticlient", "fortios", "fortigate") or
    observer.vendor == "Fortinet") and
   (message like~ "*sso*" or message like~ "*saml*" or message like~ "*alternate*auth*" or
    message like~ "*bypass*" or message like~ "*unauthenticated*") and
   event.outcome == "success"]
  [authentication where event.category == "authentication" and
   (observer.vendor == "Fortinet" or host.type == "firewall") and
   event.outcome == "success" and
   (user.name like~ "*admin*" or user.roles like~ "*super*" or user.roles like~ "*root*")]
critical severity medium confidence

Elastic EQL sequence detection matching a Fortinet SSO/alternate-channel authentication success followed by an administrative authentication success from the same source IP within 30 minutes, indicating potential exploitation of CVE-2026-24858.

Data Sources

Elastic SIEMFortinet IntegrationNetwork Authentication Logs

Required Tables

logs-*filebeat-*network-*

False Positives & Tuning

  • Administrators legitimately authenticating via SSO and then performing admin tasks
  • Automated provisioning systems using SSO then making configuration API calls
  • Security scanning tools testing authentication paths
  • Load balancer health checks triggering authentication events

Other platforms for CVE-2026-24858

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate SSO Authentication Request to Fortinet Management Interface

    Expected signal: HTTP request to /remote/logincheck with SSO/SAML parameters should appear in FortiGate authentication logs and in web proxy or network monitoring logs. Source IP, timestamp, and HTTP response code should be captured.

  2. Test 2Enumerate Fortinet Management Interface SSO Endpoints

    Expected signal: Series of HTTPS connections to Fortinet management interface on TCP 443 from a single source IP targeting multiple URL paths in rapid succession. Should appear in web access logs and network flow data.

  3. Test 3Create Unauthorized Admin Account Post-Authentication-Bypass

    Expected signal: FortiOS admin audit log should record a new admin account creation event with the account name 'svc_backup_acct', profile 'super_admin', and the API source IP. Event type=event, subtype=system, action=add should appear in FortiAnalyzer.

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-24858 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1556Modify Authentication ProcessT1078Valid AccountsT1133External Remote Services

Same Tactic: Initial Access

Popular Detections