Fortinet security patch release for CVE-2026-24858
Security Patch Release
Summary
Hide ▲
Show ▼
Fortinet began releasing security updates for CVE-2026-24858, a critical FortiOS authentication-bypass flaw that also affects FortiManager and FortiAnalyzer. The release matters because the flaw is actively exploited in the wild and can let attackers abuse FortiCloud SSO access to reach other devices. Customers must move to the latest firmware for FortiCloud SSO authentication to keep working.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data Leak
H score93
First: 22.06.2026 11:30
Last: 22.06.2026 11:30
Sources 1
About this happening:
The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data LeakAbout this happening: The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
Timeline
-
28.01.2026 06:49 1 articles · 5mo ago
Fortinet locks out malicious FortiCloud accounts
Untyped PhaseFortinet locked out two malicious FortiCloud accounts, [email protected] and [email protected], after abuse of a new attack path used to obtain unauthorized FortiCloud SSO logins on Fortinet devices.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 5mo ago
Fortinet disables FortiCloud SSO on the FortiCloud side
Untyped PhaseFortinet disabled FortiCloud SSO on the FortiCloud side to interrupt unauthorized logins affecting FortiOS, FortiManager, and FortiAnalyzer systems.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 5mo ago
Fortinet restores FortiCloud SSO with vulnerable-version blocks
Untyped PhaseFortinet re-enabled FortiCloud SSO on the FortiCloud side but blocked login from devices running vulnerable versions, forcing customers to upgrade before FortiCloud SSO authentication would function.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 2 articles · 5mo ago
Fortinet discloses CVE-2026-24858 and CISA sets remediation urgency
Initial DisclosureFortinet released security updates for CVE-2026-24858, a CVSS 9.4 authentication bypass in FortiOS single sign-on that also affects FortiManager and FortiAnalyzer; an attacker with a FortiCloud account and a registered device may log into other devices when FortiCloud SSO authentication is enabled, and Fortinet said the flaw is under active exploitation while it continues checking whether FortiWeb and FortiSwitch Manager are affected. The same disclosure also led CISA to add CVE-2026-24858 to the Known Exploited Vulnerabilities catalog and require Federal Civilian Executive Branch agencies to remediate by January 30, 2026.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49