A staggering number of over 3,280,081 Fortinet devices are currently online and have been exposed, putting their web properties at risk due to a significant vulnerability identified as CVE-2026-24858. This flaw, which has been labeled as a critical authentication-bypass issue, is actively being exploited in the wild and affects various Fortinet products, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. The severity of this vulnerability is underscored by its high rating of 9.4 on the Common Vulnerability Scoring System (CVSS) scale.
Understanding the Risk: Critical Authentication Bypass Under Attack
The CVE-2026-24858 vulnerability allows malicious actors who possess a FortiCloud account—along with a registered device—to gain unauthorized access to other organizations’ devices when the FortiCloud Single Sign-On (SSO) feature is activated. While this SSO feature is generally disabled by default, many administrators inadvertently enable it during the registration process of their FortiCare devices. This occurs unless they specifically deselect the option that permits administrative logins using FortiCloud SSO.
On January 27, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its catalog of Known Exploited Vulnerabilities, establishing a deadline for remediation set for January 30, 2026, which coincides with the date of this report.
Vulnerability Overview
- CVE Identifier: CVE-2026-24858 (CVSS Score: 9.4)
- Nature of the Issue: Critical authentication bypass via FortiCloud SSO enabling cross-account device access
- Affected Products: FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb
- Vulnerable Versions: Various versions from branches 7.x–8.x
Fortinet confirmed that there is active exploitation occurring as of January 22, 2026. During their investigation, they identified two malicious FortiCloud accounts, namely cloud-noc@mail.io and cloud-init@mail.io, that were responsible for these attacks. Cybercriminals exploited this vulnerability to download configurations from affected devices and establish persistent access. They did this by creating local administrator accounts with familiar names such as "audit," "backup," "itadmin," "secadmin," "support," "svcadmin," or "system," which could easily go unnoticed by system administrators.
In response to this alarming situation, Fortinet took swift action by temporarily disabling the FortiCloud SSO feature on January 26, 2026. However, they re-enabled it the following day with certain restrictions based on device versions, effectively blocking vulnerable devices from authenticating.
The range of vulnerable versions includes FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18, all of which require immediate attention for patching. FortiManager and FortiAnalyzer share similar ranges of vulnerabilities, while FortiProxy and FortiWeb are exposed across various major releases. The status of FortiSwitch Manager remains under investigation for potential vulnerabilities.
Currently, patches are available for several branches. For FortiOS, users need to upgrade to version 7.4.11 or 7.6.6, while FortiManager requires versions 7.4.10 or 7.6.6, and FortiAnalyzer needs to be updated to either version 7.2.12 or 7.0.16.
For organizations that cannot implement these patches immediately, the Censys advisory recommends disabling the FortiCloud SSO feature and performing a thorough review of all administrator accounts to identify any unauthorized users who may match the naming patterns used by the attackers.
Stay informed about cybersecurity developments by following us on Google News, LinkedIn, and X for daily updates. If you have stories you'd like to share, feel free to contact us!
