Detect Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858) in Splunk
Detects exploitation of CVE-2026-24858, an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products. Attackers abuse an alternate authentication path or channel — specifically SSO abuse on FortiOS — to bypass normal authentication controls and gain unauthorized access. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
MITRE ATT&CK
SPL Detection Query
index=firewall OR index=network OR index=fortinet sourcetype IN ("fortigate_utm", "fortinet:fortigate:firewall", "fgt_log")
| where vendor="Fortinet" OR source_vendor="Fortinet"
| eval auth_bypass_indicator=if(match(lower(coalesce(msg, message, log_message, "")), "sso|saml|alternate.path|auth.bypass|unauthenticated|bypass|oauth"), 1, 0)
| eval admin_action=if(match(lower(coalesce(msg, message, log_message, "")), "admin|config.change|super.admin|privilege|root.access"), 1, 0)
| eval suspicious=if(auth_bypass_indicator=1 AND (action="accept" OR action="allowed" OR action="login"), 1, 0)
| where suspicious=1 OR (auth_bypass_indicator=1 AND admin_action=1)
| stats count AS event_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(msg) AS messages, values(action) AS actions, values(dstip) AS destination_ips by src_ip, hostname, devname
| eval risk_score=case(event_count>10, "high", event_count>3, "medium", true(), "low")
| where event_count >= 1
| sort - event_count
| table first_seen, last_seen, hostname, devname, src_ip, destination_ips, event_count, risk_score, actions, messagesSplunk detection for Fortinet authentication bypass exploitation via SSO/SAML abuse or alternate authentication channel, targeting FortiGate and related Fortinet product log sources.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate SSO integration events generating matching keywords in log messages
- Administrative maintenance windows using service accounts with SSO credentials
- SAML federation testing during identity provider migrations
- High-volume environments where auth keywords appear in normal operational logs
Other platforms for CVE-2026-24858
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate SSO Authentication Request to Fortinet Management Interface
Expected signal: HTTP request to /remote/logincheck with SSO/SAML parameters should appear in FortiGate authentication logs and in web proxy or network monitoring logs. Source IP, timestamp, and HTTP response code should be captured.
- Test 2Enumerate Fortinet Management Interface SSO Endpoints
Expected signal: Series of HTTPS connections to Fortinet management interface on TCP 443 from a single source IP targeting multiple URL paths in rapid succession. Should appear in web access logs and network flow data.
- Test 3Create Unauthorized Admin Account Post-Authentication-Bypass
Expected signal: FortiOS admin audit log should record a new admin account creation event with the account name 'svc_backup_acct', profile 'super_admin', and the API source IP. Event type=event, subtype=system, action=add should appear in FortiAnalyzer.
Unlock Pro Content
Get the full detection package for CVE-2026-24858 including response playbook, investigation guide, and atomic red team tests.