Overview
- Fortinet assigned CVE-2026-24858 to a critical authentication-bypass via an alternate FortiCloud SSO path and has begun releasing fixes, including FortiOS 7.4.11, with FortiManager and FortiAnalyzer updates rolling out.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog and directed federal civilian agencies to remediate by January 30, 2026.
- To blunt active exploitation, Fortinet locked abusive FortiCloud accounts on January 22, disabled FortiCloud SSO on January 26, then re-enabled it on January 27 with a block on logins from devices running vulnerable firmware.
- Observed intrusions used two FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) to create local admin and VPN-enabled users and rapidly exfiltrate firewall configurations in what investigators described as automated activity.
- The issue affects FortiOS, FortiManager, and FortiAnalyzer when FortiCloud SSO is enabled, which can be auto-enabled during FortiCare GUI registration, and Fortinet is still investigating exposure in other products such as FortiWeb, FortiSwitch Manager, and FortiProxy; customers are urged to upgrade, review logs for indicators, and treat affected devices as breached if signs of compromise are found.