Under Attack: Critical Fortinet Auth Bypass (CVE-2026-24858) Exploited in the Wild
Ddos 
Fortinet has issued an urgent warning regarding a critical vulnerability affecting its core network security platforms, including FortiOS, FortiManager, and FortiAnalyzer. The flaw, tracked as CVE-2026-24858, carries a near-maximum CVSS severity score of 9.4 and allows remote attackers to bypass authentication and log into vulnerable devices using their own valid FortiCloud credentials.
The vulnerability stems from a logical error in how the devices handle Single Sign-On (SSO) sessions. The flaw is classified as an “Authentication Bypass Using an Alternate Path or Channel.” It specifically targets the FortiCloud SSO feature.
According to the security advisory, the flaw “may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices”.
While this feature is not enabled by default in factory settings, it often becomes active during standard administrative workflows. “When an administrator registers the device to FortiCare from the device’s GUI… FortiCloud SSO login is enabled upon registration,” unless explicitly disabled.
Fortinet confirmed that threat actors have already weaponized this flaw to breach customer networks.
“This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts,” the advisory states.
The attackers used specific email addresses—cloud-noc@mail.io and cloud-init@mail.io—to authenticate against victim devices. Once inside, they were observed creating local administrative accounts to maintain persistence even after the initial session ended.
Fortinet took aggressive action to stem the bleeding. The malicious accounts were identified and locked out on January 22, 2026. To protect the broader ecosystem, Fortinet temporarily disabled the entire FortiCloud SSO mechanism server-side on January 26, 2026.
The service was re-enabled on January 27, but with a catch: it “no longer supports login from devices running vulnerable versions”. This effectively forces a quarantine—unpatched devices can no longer use the convenience of SSO until they are updated.
Defenders are urged to scan their logs for successful logins from the malicious email addresses mentioned above, as well as traffic from specific Cloudflare-protected IP addresses used by the attackers, including:
- 104.28.244.115
- 104.28.212.114
- 104.28.212.115
- 104.28.195.105
- 104.28.195.106
- 104.28.227.106
- 104.28.227.105
- 104.28.244.114
Additional IPs observed by a third party, not Fortinet:
- 37[.]1.209.19
- 217[.]119.139.50
The server-side fix is a stopgap, but the permanent solution is on the device itself. “Customers must upgrade to the latest versions… for the FortiCloud SSO authentication to function” and to remain secure.
Administrators should check the advisory for the specific patch levels for FortiOS, FortiAnalyzer, and FortiManager and apply them immediately.
Donate