- January 27, 2026
Critical Auth Bypass Vulnerabilities in Fortinet Products Under Active Exploitation (CVE-2026-24858)
On January 27th, Fortinet published an advisory alerting users to an authentication bypass actively being used in the wild against FortiCloud SSO. This vulnerability being separate to but closely affiliated to (CVE-2025-59718 and CVE-2025-59719) from December 2025 warrant immediate action.
Executive Summary
On January 27th, Fortinet published an advisory detailing an authentication bypass via an alternate path or channel vulnerability (CVE-2026-24858) affecting FortiOS, FortiManager, and FortiAnalyzer. A threat actor with a valid FortiCloud account and a registered device can abuse this vulnerability to authenticate to other devices registered under different FortiCloud accounts provided FortiCloud SSO is enabled on those target devices. This vulnerability was reported to already be in use by threat actors in-the-wild at the time of discovery. In December 2025, Fortinet had issued a similar advisory related to two FortiCloud single sign-on (SSO) bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) [BSL-A1147] that the Fortinet product security team had internally discovered during a code audit.
The vulnerabilities described in the advisory allowed for unauthenticated bypass of SSO login authentication via crafted SAML sent to FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices when the FortiCloud SSO feature was enabled.
FortiCloud SSO is not enabled by default in factory configurations. However, when an administrator registers a device with FortiCare through the GUI, FortiCloud SSO is automatically enabled unless the “Allow administrative login using FortiCloud SSO” option is explicitly disabled during registration.
As mentioned, Fortinet observed this vulnerability being actively exploited in the wild by two malicious FortiCloud accounts, which were disabled on 2026-01-22. As an immediate mitigation, Fortinet temporarily disabled FortiCloud SSO at the FortiCloud service level on 2026-01-26. The feature was re-enabled on 2026-01-27 with additional restrictions, preventing authentication from devices running vulnerable versions.
Due to this, Beazley Security believes many Fortinet devices may be vulnerable without the administrator’s knowledge. Given the reports of active exploitation of these vulnerabilities in the wild and the significant risk of further compromise once initial access has been gained by a compromised Fortinet device, Beazley Security strongly recommends that affected organizations disable FortiCloud SSO until patches are available and can be applied.
Affected Systems or Products
Product | Affected Version | Fixed Version |
|---|---|---|
FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to upcoming 7.4.10 or above |
FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.12 or above |
FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to upcoming 7.4.10 or above |
FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.13 or above |
FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to upcoming 7.4.11 or above |
FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to upcoming 7.2.13 or above |
FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to upcoming 7.0.19 or above |
FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to upcoming 7.6.6 or above |
FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to upcoming 7.4.13 or above |
FortiProxy 7.2 | 7.2 all versions | Migrate to a fixed release |
FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
Mitigations / Workarounds
Patches have not been released at time of writing, and Beazley Security strongly recommends that patches be immediately applied as soon as they are available for any impacted appliances.
Additionally, Beazley Security Labs recommends disabling the FortiCloud SSO feature until patches are released and applied. To disable FortiCloud SSO admin logins:
- 1.
Go to System -> Settings -> Switch.
- 2.
Change "Allow administrative login using FortiCloud SSO" to Off.
Or type the following command in the CLI:
config system global
set admin-forticloud-sso-login disable
end
Patches
Fortinet has disabled FortiCloud SSO support for vulnerable device versions as of January 26, 2026. Customers must upgrade to the latest versions for FortiCloud SSO authentication to function. The FortiGuard advisory recommends using their provided upgrade tool to update software on the affected products when the patches become available.
Indicators of Compromise
At the time of this writing, FortiGuard Labs has officially released indicators of compromise, in addition there are public reports of exploitation in the wild.
Emails
The actor has been observed to have logged in with the following user accounts.
cloud-noc@mail[.]io
cloud-init@mail[.]io
IP Addresses
According to FortiGuard Labs the actor has been observed to log in via multiple IP addresses and appears to have switched to use Cloudflare protected IPs.
104.28.244[.]115
104.28.212[.]114
104.28.212[.]115
104.28.195[.]105
104.28.195[.]106
104.28.227[.]106
104.28.227[.]105
104.28.244[.]114
37.1.209[.]19
217.119.139[.]50
Malicious Local Account Creation
Following authentication via SSO, it has been observed that the actor creates a local admin account with one of the following names. We recommend reviewing all admin accounts to look for any unexpected entries.
audit
backup
itadmin
secadmin
support
backupadmin
deploy
itadmin
remoteadmin
security
svcadmin
system
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.