Comprehensive Threat Exposure Management Platform
CVE-2026-24858 is a critical authentication bypass vulnerability (CVSS 9.8) affecting multiple Fortinet products, including FortiOS, FortiManager, FortiAnalyzer, and FortiProxy, when FortiCloud Single Sign-On (SSO) is enabled. The flaw allows attackers with any valid FortiCloud account to gain unauthorized administrative access to devices belonging to other organizations, and has been actively exploited in the wild since mid-January 2026. Successful exploitation can lead to full device compromise, configuration tampering, and loss of control over perimeter security infrastructure. Immediate patching, disabling FortiCloud SSO where possible, and auditing for unauthorized administrative activity are strongly recommended.
CVE-2026-24858 is a critical authentication bypass vulnerability (CWE-288) with a CVSS score of 9.8, affecting Fortinet products including FortiOS, FortiManager, FortiAnalyzer, and FortiProxy when FortiCloud Single Sign-On (SSO) is enabled. FortiOS powers FortiGate firewalls, widely deployed enterprise-grade security appliances used for perimeter defense, VPN termination, and threat protection, while FortiManager and FortiAnalyzer provide centralized management and logging across Fortinet environments. Initial activity was suspected to be a patch bypass of CVE-2025-59718, but Fortinet confirmed this as a distinct vulnerability on January 23, 2026.
The flaw stems from improper access control in the FortiCloud SSO trust mechanism, enabling authentication bypass via an alternate path. An attacker with any valid FortiCloud account and a registered device can exploit this weakness to authenticate to Fortinet devices belonging to other customers or organizations. Although FortiCloud SSO is disabled by default, it may be automatically enabled when devices are registered with FortiCare via the GUI, significantly expanding the exposed attack surface.
Active exploitation has been observed since January 15, 2026, with threat actors using known malicious FortiCloud accounts to conduct automated attacks from Cloudflare-protected IP infrastructure. Post-exploitation activity includes downloading firewall configuration files, creating persistent local administrator accounts (e.g., secadmin, itadmin, support, backup), and modifying configurations to enable VPN access. This activity impacts multiple major product branches, particularly versions 7.0.x through 7.6.x, and poses severe risks including network compromise, lateral movement, and loss of control over critical security infrastructure, especially in environments heavily reliant on FortiCloud-based management.
Fortinet has released FortiOS 7.4.11 to address this vulnerability, with patches for other affected branches forthcoming. Organizations should upgrade immediately, audit for unauthorized administrator accounts and suspicious FortiCloud authentication activity, and disable FortiCloud SSO on internet-facing devices until patching is complete.
Upgrade all affected Fortinet devices to the latest firmware versions as soon as patches become available. Fortinet has announced upcoming releases including FortiOS 7.6.6, 7.2.13, and 7.0.19, as well as corresponding updates for FortiManager, FortiAnalyzer, and FortiProxy. Monitor official Fortinet channels and the FortiGuard PSIRT advisory for patch availability and follow the recommended upgrade path using the Fortinet upgrade tool.
Although Fortinet has disabled FortiCloud SSO for vulnerable devices at the cloud level, administrators should verify the configuration on their devices. Navigate to System, then Settings, and ensure the “Allow administrative login using FortiCloud SSO” toggle is set to Off. Alternatively, use the CLI command config system global and set sso-enabled disable.
Conduct an immediate audit of all administrator accounts on affected devices. Look specifically for unauthorized accounts with names such as audit, backup, itadmin, secadmin, support, backupadmin, deploy, remoteadmin, security, svcadmin, or system. Remove any accounts that were not created by authorized personnel and reset passwords for all legitimate administrative accounts.
Examine device authentication logs for any logins from the known malicious accounts cloud-noc@mail.io and cloud-init@mail.io. Also search for authentication attempts from the identified threat actor IP addresses.
If compromise indicators are detected, treat the device as fully compromised. Restore the configuration from a known clean backup taken before January 2026, or conduct a thorough manual audit of all configuration changes. Pay particular attention to VPN configurations, firewall policies, and administrative access settings.
Change all credentials for LDAP and Active Directory accounts that may be connected to or accessible from the FortiGate devices. Attackers who exfiltrated configurations may have obtained stored credentials or service account information that could be used for lateral movement.
Restrict administrative access to Fortinet devices to dedicated management networks only. Ensure that management interfaces are not exposed directly to the internet and require VPN or jump host access for remote administration.
Implement enhanced monitoring for any new administrator account creation, configuration changes, and unusual authentication patterns on all Fortinet devices. Configure alerts for logins from unexpected geographic locations or during non-business hours.
Initial Access
Execution
Persistence
Defense Evasion
Credential Access
Collection
Command and Control
Resource Development
Malicious Email Accounts:
Attacker IP Addresses (Cloudflare-protected):
Suspicious Administrator Account Names:
Get through updates and upcoming events, and more directly in your inbox