More than 3,280,081 Fortinet devices are currently exposed online with internet-facing web properties, leaving a significant number of organizations at serious risk of compromise. The exposure is linked to CVE-2026-24858, a critical FortiCloud SSO authentication-bypass vulnerability that is already being actively exploited in the wild.
The flaw carries a CVSS score of 9.4, placing it among the most severe Fortinet vulnerabilities disclosed in 2026. It impacts widely deployed products including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. With attackers already abusing the weakness, security teams are under increasing pressure to act quickly to prevent unauthorized access and potential network-wide compromise.
What Happened in the Fortinet Authentication Bypass Incident
The incident came to light after abnormal activity was observed targeting internet-exposed Fortinet management interfaces running FortiOS and related platforms. According to Fortinet, attackers were exploiting a flaw in FortiCloud Single Sign-On (SSO) that made it possible to cross authentication boundaries between different customer environments.
At the heart of CVE-2026-24858 is a design flaw that allows a threat actor with any FortiCloud account and a registered device to authenticate into other organizations’ Fortinet devices, provided FortiCloud SSO is enabled. Although the feature is disabled by default, it is often enabled during FortiCare device registration unless administrators explicitly disable the option allowing administrative login via FortiCloud SSO.
Once enabled, this setting can quietly expose FortiGate firewalls and other appliances to unauthorized access, often without triggering immediate alarms or alerts.
Who Is Affected by CVE-2026-24858
The scope of CVE-2026-24858 is broad and affects a wide cross-section of Fortinet customers worldwide.
- Affected products: FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb
- Vulnerable versions: Multiple releases across 7.x–8.x branches, as detailed in Fortinet advisories
- Exposure type: Internet-facing web and management interfaces on Fortinet devices
- At-risk users: Enterprises, managed service providers, government networks, and critical infrastructure operators
Based on internet-wide scanning data referenced by Censys, approximately 3,280,081 Fortinet devices were identified online with exposed web properties that could potentially be targeted by attackers.
Technical Details: How the Authentication Bypass Works
CVE-2026-24858 originates from a flaw in how FortiCloud SSO authentication requests are validated on affected Fortinet devices. When FortiCloud SSO is enabled, the systems fail to properly enforce tenant isolation, allowing authentication tokens to be accepted across different organizations.
According to Fortinet and multiple security advisories, exploitation typically follows this sequence:
- A threat actor controls a FortiCloud account with a registered device
- FortiCloud SSO is abused to authenticate against another organization’s Fortinet device
- Administrative access is granted without proper authorization checks
Once access is obtained, attackers were seen downloading full device configurations and creating persistent local administrator accounts across FortiOS, FortiManager, FortiAnalyzer, and FortiProxy systems. These accounts were deliberately named to appear legitimate, using names such as audit, backup, itadmin, secadmin, support, svcadmin, and system.
Fortinet also confirmed that two malicious FortiCloud accounts — cloud-noc@mail.io and cloud-init@mail.io — were directly involved in real-world exploitation of CVE-2026-24858.
What You Should Do Now: Immediate Protection Steps
Organizations using affected Fortinet products should take immediate action to reduce risk associated with CVE-2026-24858 and FortiCloud SSO exposure.
- Apply available patches immediately, upgrading to fixed versions such as FortiOS 7.4.11 or 7.6.6 and the corresponding FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb releases
- Disable FortiCloud SSO if patching cannot be completed right away, following Fortinet’s official guidance
- Review all administrator accounts and remove any unfamiliar or suspicious users
- Audit logs and configuration history for signs of unauthorized access or configuration downloads
- Restrict management interface exposure, limiting access to trusted networks or VPNs only
Delaying remediation significantly increases the risk of persistent access, configuration theft, and deeper compromise across environments that depend on Fortinet security devices.
Official Response from Fortinet
Fortinet confirmed active exploitation of CVE-2026-24858 on January 22, 2026, linking the attacks to FortiCloud SSO authentication bypass attempts targeting FortiOS and related platforms. On January 26, the company temporarily disabled FortiCloud SSO, re-enabling it the following day with version-based enforcement designed to block vulnerable devices until they are patched.
Security updates have since been released across multiple product lines, while FortiSwitch Manager remains under investigation for potential related impact.
In parallel, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog on January 27, setting a mandatory remediation deadline of January 30, 2026 for U.S. federal agencies.
Closing Thoughts
With exploitation of CVE-2026-24858 already underway, this FortiCloud SSO authentication-bypass flaw represents a high-risk threat for organizations relying on Fortinet infrastructure for perimeter and network security. The incident highlights how cloud-based management features, when misconfigured or left unpatched, can dramatically expand an organization’s attack surface.
Administrators should act without delay by applying patches, disabling unnecessary features, and reviewing all privileged access on exposed Fortinet devices. Cyberinfos.in will continue tracking this CVE-2026-24858 campaign and provide updates as new information and mitigation guidance become available.
