CISA’s June 18 alert goes beyond standard patching guidance, directing federal agencies to rotate all credentials, enforce modern hashing, and assume compromise across their Fortinet device fleet.
The Cybersecurity and Infrastructure Security Agency issued an alert on June 18, 2026 urging immediate hardening of Fortinet devices following reports of credential exposure affecting 86,644 FortiGate firewalls globally. The directive targets federal civilian agencies but carries implicit guidance for all organizations operating Fortinet infrastructure.
CISA’s recommended actions include: immediate rotation of all administrative credentials, enforcement of PBKDF2 password hashing to replace legacy SHA-256 configurations, application of patches for CVE-2026-24858 (the FortiCloud SSO authentication bypass scored at CVSS 9.8), and comprehensive audit of access logs for unauthorized authentication patterns.
The significance of CISA’s framing is what it implies about the vendor’s patch alone. When a federal agency issues a fleet-wide hardening directive that extends well beyond “apply the patch,” the implicit message is that the underlying credential exposure cannot be resolved through software updates alone. Defenders must assume that valid credentials are circulating in adversary infrastructure and act accordingly.
Source: CISA Alert: Hardening Fortinet Devices (June 18, 2026)