Fortinet Devices: 3.2M Exposed Web Properties Online With
More than 3.28 million Fortinet devices, exposed online as web properties, are vulnerable to CVE-2026-24858. This severe authentication-bypass flaw is actively exploited in the wild. The...
More than 3.28 million Fortinet devices, exposed online as web properties, are vulnerable to CVE-2026-24858. This severe authentication-bypass flaw is actively exploited in the wild.
The vulnerability, rated 9.4 on the CVSS scale, affects multiple Fortinet product lines, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb.
Critical Authentication Bypass Exploited in Active Attacks
CVE-2026-24858 allows threat actors with a FortiCloud account and a registered device to authenticate into other organizations’ devices when FortiCloud SSO is enabled.
While this feature is disabled by default, administrators frequently enable it during FortiCare device registration unless they explicitly toggle off the “Allow administrative login using FortiCloud SSO” option.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on January 27, 2026, establishing a remediation deadline of January 30, 2026, the same day as this report.
| Field | Description |
|---|---|
| CVE | CVE-2026-24858 (CVSS 9.4) |
| Issue | Critical auth bypass via FortiCloud SSO allowing cross-account device access |
| Affected Products | FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb |
| Vulnerable Versions | Multiple versions across 7.x–8.x branches |
Fortinet confirmed active exploitation on January 22, 2026, identifying two malicious FortiCloud accounts, [email protected] and [email protected], responsible for the attacks.
Threat actors leveraged the vulnerability to download device configurations and establish persistence.
By creating local administrator accounts with familiar names such as “audit,” “backup,” “itadmin,” “secadmin,” “support,” “svcadmin,” or “system.”
In response, Fortinet temporarily disabled FortiCloud SSO on January 26, 2026, and re-enabled it the following day with version-based restrictions blocking vulnerable devices from authentication.
The vulnerability affects a wide range of versions across Fortinet’s enterprise security portfolio.
FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18 require immediate patching.
FortiManager and FortiAnalyzer share similar vulnerable version ranges, while FortiProxy and FortiWeb face exposure across multiple major releases. FortiSwitch Manager remains under investigation.
Patches are currently available for select branches, with FortiOS requiring upgrades to version 7.4.11 or 7.6.6, FortiManager needing 7.4.10 or 7.6.6, and FortiAnalyzer requiring 7.2.12 or 7.0.16.
According to the Censys advisory, organizations that cannot patch immediately should disable FortiCloud SSO and review all admin accounts for unauthorized users matching attacker-created naming patterns.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.