Fortinet CVE-2026-24858: FortiCloud SSO Bypass Hits SAMA Banks

Fortinet has confirmed active exploitation of CVE-2026-24858, a CVSS 9.8 authentication bypass in FortiCloud SSO that grants attackers privileged access across FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. CISA added the flaw to its Known Exploited Vulnerabilities catalog this week, and Shadowserver telemetry shows nearly 10,000 exposed instances worldwide — a direct concern for every SAMA-regulated bank running Fortinet at the perimeter.

How CVE-2026-24858 Bypasses FortiCloud SSO

The vulnerability sits in the SAML assertion handling path used by FortiCloud SSO when federating administrative logins to Fortinet management planes. By forging or replaying a crafted assertion, an unauthenticated attacker can obtain a valid administrative session token without ever providing credentials or hitting MFA. The flaw chains cleanly: once an attacker reaches FortiManager or FortiAnalyzer with admin rights, they can push policy changes to every downstream FortiGate, disable logging, and pivot into the core network.

Fortinet has acknowledged that some exploitation occurred earlier this month and that patches have not yet shipped across all affected products. That patch gap — combined with the fact that FortiCloud SSO is enabled by default on most modern deployments — is what makes this incident materially different from prior Fortinet auth bypasses such as CVE-2024-55591 and CVE-2025-25257.

Why This Threat Is Different for Edge Devices

FortiManager and FortiAnalyzer typically hold the encrypted backups of every firewall configuration, IPsec pre-shared keys, BGP credentials, and in many SAMA banks the LDAP or RADIUS bind passwords used by branch firewalls. A single successful exploitation effectively unlocks lateral movement into the core banking VLAN, the SWIFT segment, and the PCI-DSS cardholder data environment without triggering EDR — because the attacker is acting as a legitimate Fortinet admin.

Darktrace and Mandiant have both reported pre-disclosure exploitation activity on Fortinet, Citrix, and Ivanti edge devices in 2026, with operators using these footholds for credential harvesting and privileged lateral movement directly into core banking systems. CVE-2026-24858 fits this exact pattern.

Impact on Saudi Financial Institutions

For SAMA-regulated banks, CVE-2026-24858 maps directly to multiple failures under the Cyber Security Framework. Control 3.3.7 on Cyber Security Event Management requires that privileged administrative actions on security infrastructure are logged and reviewed; an attacker who logs in as a legitimate admin via this bypass defeats that control. NCA Essential Cybersecurity Controls (ECC) sub-controls 2-2-3 (Identity and Access Management) and 2-5-3 (Network Security) similarly require strong authentication and segmentation that this CVE neutralizes.

Under PDPL Article 20, any compromise of FortiManager that could expose customer authentication data triggers breach notification to SDAIA within 72 hours. Saudi banks running Fortinet SD-WAN across branches — which is the dominant architecture in the Kingdom — must treat this as a Tier-1 incident regardless of whether exploitation has been confirmed locally.

Recommendations and Practical Steps

1. Immediately disable FortiCloud SSO on all FortiManager, FortiAnalyzer, FortiOS, FortiProxy, and FortiWeb instances until vendor patches are validated; revert to local administrator authentication with hardware MFA.
2. Restrict the management interface of every Fortinet appliance to a dedicated jump-host VLAN with explicit allow-lists; block port 443 and 8443 from any untrusted network including the corporate LAN.
3. Pull the last 30 days of admin login records from FortiAnalyzer and your SIEM, hunt for SAML assertions with unusual issuer URLs, anomalous source IPs, or admin sessions originating from geographies your bank does not operate in.
4. Rotate every credential stored in FortiManager — IPsec pre-shared keys, BGP MD5 passwords, RADIUS shared secrets, LDAP bind accounts — under the assumption they are compromised.
5. File an incident notification with SAMA Cyber Security Operations Center if any indicator of compromise is found, and prepare a 72-hour PDPL breach assessment for SDAIA.
6. Engage your vCISO or GRC partner to update the Threat Intelligence section of your SAMA Cyber Resilience Self-Assessment with this CVE before the next quarterly submission.

Conclusion

CVE-2026-24858 is the second authentication bypass in twelve months to compromise the Fortinet management plane, and it lands at a moment when SAMA, NCA, and SDAIA are all increasing scrutiny of edge-device hardening. Banks that wait for patches will find themselves explaining to regulators why they did not implement compensating controls during the documented exploitation window. The defensible posture is to disable FortiCloud SSO today, hunt for IoCs across the past 30 days, and document the entire response under your CSCC and ECC governance evidence trail.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.