FortiOS SSL-VPN: The Cookie That Skips the Login Page (CVE-2026-24472)

FortiGate firewalls run a sizeable share of the mid-market perimeter. The SSL-VPN web portal is the component you enable when remote workers need access and you don't want to issue certificates to every laptop. It is also, historically, the most exploited component on FortiOS -- there have been at least five KEV-listed SSL-VPN CVEs since 2022.

CVE-2026-24472 is the latest. A crafted session cookie, replayed against the portal, is accepted as authenticated. The attacker lands on the post-login page without ever presenting credentials. From there they have VPN access to the internal network and, in the exploitation chains documented by CISA, a second-stage escalation to FortiGate admin access. That's full firewall compromise from an unauthenticated network position.

In-the-wild exploitation was documented starting late December 2025. CISA KEV-listed the CVE on January 22, 2026. Since then multiple ransomware groups have integrated this into their initial-access playbooks.

What it lets an attacker do

Two things, in sequence.

First, unauthenticated VPN access. The attacker connects through the SSL-VPN portal as a "legitimate" user session. They now have whatever network access your VPN policy grants -- typically "most of the internal network."

Second, in roughly 40% of observed chains, admin escalation on the FortiGate itself. Once inside, the attacker pivots to the device's admin web UI and uses the authenticated position to install a persistent backdoor, disable logging, and stage the ransomware deployment.

Blast radius depends on your segmentation. For a flat internal network with domain-joined servers and an unprotected backup server (which is most mid-market networks), the impact is a Tuesday-morning full-environment ransomware event.

How to tell if you're exposed

You're exposed if all three are true: (1) you run FortiOS, (2) the SSL-VPN web portal is enabled and internet-accessible, and (3) the firmware is older than the April 2026 patch line. Check with:

# From a FortiGate CLI:
get system status | grep 'Version'
show system interface | grep 'sslvpn'

Patched firmware lines: FortiOS 7.4.5, 7.2.10, 7.0.17, or 6.4.16 (and anything newer in each branch). Anything earlier is vulnerable.

From outside your network, you can confirm the portal is exposed without exploiting the bug:

curl -sI https://your-firewall.example.com/remote/login | head -20
# FortiOS-served login pages return a distinctive "Server: xxxxxxxx-xxxxx" header.
# A 200 response on /remote/login means the portal is internet-reachable.

If the portal is internet-reachable and the firmware is vulnerable, you are in the window of exploitation.

What the PoC looks like

Public PoCs exist but we are not linking them. Fortinet's FG-IR-25-482 advisory contains the indicators of compromise -- specifically, unexpected admin-account creations, new VPN user accounts appearing outside your provisioning workflow, and cookie values in logs that don't match your session-issuer format. Mandiant's M-Trends coverage has the broader threat-actor context.

Our scanner test for this

CELVEX Group runs ZERODAY-2026-0003 -- FortiOS SSL-VPN auth bypass as a passive-first check. The wave-1 probe combines three signals -- the opaque Server: xxxxxxxx-xxxxx header, the FortiGate login-page body fingerprint, and the TLS JARM hash -- to flag a target as "FortiOS SSL-VPN exposed to the internet" without sending any exploit payload. Wave 3 is a manual follow-up (Semi-Auto) so our analysts can correlate the finding with Fortinet's published IoCs rather than fire a noisy probe.

Module: core/test_catalog/_supplement_zeroday_2026-04-18.py, test_id ZERODAY-2026-0003.

What to do today

1. Patch firmware same-day. 7.4.5, 7.2.10, 7.0.17, or 6.4.16. This is a "drop everything" patch -- the exploitation rate is high and the attacker pool is broad.
2. If you cannot patch today, disable the SSL-VPN web portal and force remote access through IPsec with certificate-based auth. Yes, that inconveniences your remote workers for 24 hours. The alternative is a ransomware call at 3am.
3. Audit FortiOS admin logs against FG-IR-25-482 IoCs. Specifically: new admin accounts, new VPN user accounts, VPN sessions from unexpected source IPs, and any admin config change outside your change window. If any IoC matches, treat this as an active incident and engage incident response before attempting further remediation.