THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Fortinet flaw to its Known Exploited Vulnerabilities (KEV) catalog, tracked as CVE-2026-24858, which carries a CVSS score of 9.4 and affects FortiOS, FortiManager, and FortiAnalyzer. The vulnerability enables an authentication bypass via FortiCloud SSO, and Fortinet has begun rolling out patches for FortiOS in response to active exploitation.
The advisory notes that the flaw was exploited by two FortiCloud accounts before being blocked on 22 January 2026, with FortiCloud SSO subsequently disabled on 26 January and re-enabled on 27 January 2026; administrators are advised to upgrade to supported releases to continue using FortiCloud SSO authentication.
CISA also published guidance and reminded federal agencies to address the identified vulnerabilities under Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, with a due date for action of 30 January 2026. The article also indicates Fortinet is assessing whether additional products such as FortiWeb and FortiSwitch Manager are affected, and suggests private organisations review the KEV Catalog and apply mitigations where feasible.