Over 3 Million Fortinet Devices Exposed to Critical Authentication Bypass Vulnerability
A recent cybersecurity analysis has revealed that over 3,280,081 Fortinet devices are currently online with exposed web properties, rendering them susceptible to a severe authentication bypass vulnerability identified as CVE-2026-24858. This flaw, actively exploited in the wild, poses a significant risk to organizations relying on Fortinet’s security solutions.
Understanding CVE-2026-24858
CVE-2026-24858 is a critical vulnerability with a Common Vulnerability Scoring System (CVSS) score of 9.4, indicating its high severity. The flaw affects multiple Fortinet products, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. It arises from improper access control mechanisms within the Graphical User Interface (GUI) component, specifically related to the FortiCloud Single Sign-On (SSO) feature.
Mechanism of Exploitation
The vulnerability allows threat actors who possess a FortiCloud account and have a registered device to authenticate into other organizations’ devices if the FortiCloud SSO feature is enabled. While this feature is disabled by default, administrators often enable it during the FortiCare registration process unless they explicitly disable the Allow administrative login using FortiCloud SSO option.
Timeline of Events
– January 22, 2026: Fortinet confirmed active exploitation of CVE-2026-24858, identifying two malicious FortiCloud accounts—[email protected] and [email protected]—used in the attacks.
– January 26, 2026: In response to the exploitation, Fortinet temporarily disabled the FortiCloud SSO feature to mitigate further unauthorized access.
– January 27, 2026: The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of remediation.
– January 28, 2026: Fortinet re-enabled the FortiCloud SSO feature with version-based restrictions, preventing vulnerable devices from authenticating through this method.
Affected Versions and Products
The vulnerability spans a wide range of versions across Fortinet’s product suite:
– FortiOS: Versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18.
– FortiManager and FortiAnalyzer: Share similar vulnerable version ranges as FortiOS.
– FortiProxy and FortiWeb: Exposed across multiple major releases.
– FortiSwitch Manager: Currently under investigation for potential exposure.
Recommended Actions
Organizations utilizing the affected Fortinet products should take immediate action to mitigate the risks associated with CVE-2026-24858:
1. Apply Patches: Fortinet has released patches for select branches. Users should upgrade to the following versions:
– FortiOS: Upgrade to version 7.4.11 or 7.6.6.
– FortiManager: Upgrade to version 7.4.10 or 7.6.6.
– FortiAnalyzer: Upgrade to version 7.2.12 or 7.0.16.
2. Disable FortiCloud SSO: If immediate patching is not feasible, administrators should disable the FortiCloud SSO feature to prevent unauthorized access.
3. Review Administrative Accounts: Conduct a thorough audit of all administrative accounts to identify and remove any unauthorized users. Attackers have been known to create local administrator accounts with names such as audit, backup, itadmin, secadmin, support, svcadmin, or system.
4. Monitor for Indicators of Compromise (IoCs): Stay vigilant for signs of exploitation, including unexpected configuration changes or the presence of unfamiliar administrator accounts.
Broader Implications
The exposure of over 3 million Fortinet devices underscores the critical importance of timely vulnerability management and the need for organizations to maintain robust security practices. The widespread nature of this vulnerability highlights the potential for significant impact across various sectors, emphasizing the necessity for immediate and decisive action.
Conclusion
CVE-2026-24858 represents a substantial threat to organizations utilizing Fortinet’s security products. By understanding the nature of this vulnerability and implementing the recommended mitigation strategies, organizations can protect their systems from unauthorized access and potential compromise. Staying informed and proactive in addressing such vulnerabilities is essential in maintaining a secure and resilient cybersecurity posture.
