We Started The Fortinet Clock 48 Hours Ago. CISA Didn't Wait Sixty Days. They KEV'd CVE-2026-24858 The Same Day Fortinet Patched The Siblings. The Clock Collapsed To Zero.

On May 13, we published a Fortinet receipt post. The title named the clock. The last Fortinet pre-auth RCE we tracked end-to-end took sixty days from patch to CISA KEV. We started the countdown on the siblings that Fortinet patched that morning — CVE-2026-44277 in FortiAuthenticator and the companion pre-auth RCE in FortiSandbox.

The clock did not run sixty days. It did not run sixty hours. It ran zero.

CISA added CVE-2026-24858 to the Known Exploited Vulnerabilities catalog the same day Fortinet shipped the patch. CVE-2026-24858 is an authentication bypass affecting FortiAnalyzer, FortiManager, FortiOS, and FortiProxy when FortiCloud SSO is enabled. The bypass uses an alternate path that allows an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts. Cross-tenant auth bypass across four of Fortinet's flagship product lines, gated only on having a FortiCloud account, which is free to register.

CISA does not KEV a CVE on disclosure day for fun. KEV requires credible exploitation evidence. Either the bypass was already in active use against multiple tenants when Fortinet shipped the fix, or the disclosure included exploitation artifacts that CISA's verification pipeline accepted on the spot. Both readings reach the same place. The clock from patch to active-exploitation status was zero.

What the clock measures

The Fortinet sixty-day pattern is not an aesthetic complaint. It is a measurement. Pre-authentication remote code execution in network-edge security appliances has, on the past several tracked CVEs, taken approximately sixty days from Fortinet's patch announcement to the CISA KEV listing that gates federal patch deadlines. That window is the operational risk gap for every defender who does not patch on day one. Sixty days of internet-exposed Fortinet appliances running known-vulnerable code while attackers iterate on the disclosure into working capability.

Our position has been that the sixty-day window is the load-bearing problem, not the individual CVEs. Fortinet appliances are perimeter-trust devices. They issue identity tokens, broker SSO, terminate VPN, inspect traffic, manage other Fortinet appliances. A pre-auth bypass on any of them is a one-hop compromise of the trust boundary they were sold to defend.

CVE-2026-24858 makes the argument cleaner than we could have made it ourselves. The clock collapsed. The window between patch and active-exploitation evidence was zero days. Defenders running FortiCloud SSO on any of FortiAnalyzer, FortiManager, FortiOS, or FortiProxy have already been past the deadline since the moment they read about the patch.

Why this CVE specifically

CVE-2026-24858 is the worst-shaped bypass for a defender to face. It is alternate-path, which means the wrong code in the routing layer accepted the request a different way than the intended authentication flow. Alternate-path bypasses are logic flaws, not memory-corruption flaws, which makes them stable across patch versions, easy to script, and durable in capability inventories.

The trust model assumed that registration of a device to a FortiCloud account would be the gate that scoped access to that device. The bypass demonstrates that a FortiCloud account holder with any registered device could authenticate to other devices registered to other accounts entirely. Multi-tenant compartmentalization at the FortiCloud SSO layer failed open. MSPs, service providers, and federated enterprise deployments where many tenants share the FortiCloud control plane are the population most exposed.

This is the second alternate-path Fortinet auth bypass to hit our coverage threshold this quarter. The pattern is recurrent because the underlying architecture has a number of authentication routes through it that were retrofitted onto a product line that grew faster than its identity model.

What to do today

If you operate FortiAnalyzer, FortiManager, FortiOS, or FortiProxy and you have FortiCloud SSO enabled on any of those devices, patch now. The Fortinet PSIRT advisory tied to CVE-2026-24858 names the fixed versions. Apply them. Reboot or restart as the vendor specifies.

If you cannot patch in the same business day, disable FortiCloud SSO on the affected devices and fall back to local authentication or a different IdP for the management plane while you complete the patch cycle. Do not skip the rollback. The bypass requires FortiCloud SSO to be enabled — turning it off closes the path entirely.

Audit administrator activity across every FortiCloud-managed device in your estate for the last several weeks. Cross-tenant authentication that crosses account boundaries is the signature of exploitation. Source-IP anomalies, region anomalies, and admin sessions originating from FortiCloud account contexts that do not match your tenant identity should be treated as compromise indicators until proven otherwise.

Rotate. If you find any indication of cross-tenant access that does not match your authorized administrator pool, treat the affected devices as compromised. Rotate every administrator credential, every API token, every IPsec PSK, every SSL VPN certificate, every SAML signing key federated through the affected devices. Fortinet appliances at the network edge are the trust anchor for everything inside them — once that anchor is in question, the surface area of cleanup is most of your perimeter.

Where we sit

The May 13 receipt is the post that named the sixty-day clock. The May 15 receipt is the post that names the clock collapsing to zero. The companion FortiCloud SSO advisory is on KEV the same day the patch shipped. Subscribers pulling the STIX feed will see attributable FortiCloud-SSO-exploitation infrastructure flow through the normal pipeline as campaign attribution catches up to the advisory.

The product is the lead time. When Fortinet patches the next pre-auth bug on the family of edge appliances we monitor, the clock starts again. The next time the clock collapses to zero, this post is the receipt that we called the pattern correctly two days earlier.

Patch CVE-2026-24858. Audit cross-tenant access. The sibling RCEs we wrote about on May 13 are still on the clock too. None of them can wait.

Sources: DugganUSA blog post "Fortinet Patched Pre-Auth RCE in FortiSandbox and FortiAuthenticator Today. The Last One We Tracked Hit CISA KEV in Sixty Days," published 2026-05-13. CISA Known Exploited Vulnerabilities Catalog entry for CVE-2026-24858, added 2026-05-13. Fortinet PSIRT advisory naming the fixed builds across FortiAnalyzer, FortiManager, FortiOS, and FortiProxy.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.