FortiOS SSO authentication bypass (CVE-2026-24858)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-24858 is a critical FortiOS authentication bypass affecting FortiOS, FortiManager, and FortiAnalyzer, and it is being actively exploited in the wild. The flaw can let an attacker with a FortiCloud account and a registered device log into other devices when FortiCloud SSO is enabled. That abuse can enable local admin persistence, VPN access changes, and firewall configuration exfiltration. Fortinet has started releasing security updates in response, and CISA has added the issue to KEV with a January 30, 2026 remediation deadline for FCEB agencies.
Related Happenings
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet credential-theft campaign
Campaign
H score89
First: 19.06.2026 13:48
Last: 19.06.2026 13:48
Sources 1
About this happening:
The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
FortiBleed Fortinet credential-theft campaign
CampaignAbout this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
Latest development: 22.06.2026 11:30
The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.
CISA FortiBleed mitigation guidance
Advisory/Mitigation
H score67
First: 19.06.2026 09:47
Last: 19.06.2026 09:47
Sources 1
About this happening:
**CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
CISA FortiBleed mitigation guidance
Advisory/MitigationAbout this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
Timeline
-
10.03.2026 18:21 1 articles · 4mo ago
FortiGate exploitation uses CVE-2026-24858
Exploitation ObservedSentinelOne said attackers are abusing FortiGate NGFW appliances through known vulnerabilities and weak credentials, including CVE-2026-24858, to steal configuration files and service account credentials from healthcare, government, and managed service provider environments.
Show sources
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials — thehackernews.com — 10.03.2026 18:21
-
28.01.2026 06:49 1 articles · 5mo ago
Malicious FortiCloud accounts locked out
Mitigation Patch UpdateFortinet locked out two malicious FortiCloud accounts, [email protected] and [email protected], after threat actors abused a new attack path to obtain FortiCloud SSO logins without authentication on affected devices.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 5mo ago
FortiCloud SSO disabled on FortiCloud side
Mitigation Patch UpdateFortinet disabled FortiCloud SSO on the FortiCloud side, cutting off the login path that had been abused to create local admin accounts, change VPN-related configuration, and exfiltrate firewall configurations.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 5mo ago
FortiCloud SSO re-enabled with vulnerable-version block
Mitigation Patch UpdateFortinet re-enabled FortiCloud SSO but blocked the feature on devices running vulnerable versions, requiring customers to upgrade to the latest software before FortiCloud SSO would function.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 2 articles · 5mo ago
CVE-2026-24858 disclosed as active FortiOS bypass
Initial DisclosureFortinet disclosed CVE-2026-24858, a CVSS 9.4 authentication bypass in FortiOS single sign-on that also affects FortiManager and FortiAnalyzer and may affect FortiWeb and FortiSwitch Manager; an attacker with a FortiCloud account and a registered device could log into other devices when FortiCloud SSO is enabled.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49
-
28.01.2026 06:49 1 articles · 5mo ago
CISA adds CVE-2026-24858 to KEV
Legal Policy Action UpdateCISA added CVE-2026-24858 to the Known Exploited Vulnerabilities catalog and required Federal Civilian Executive Branch agencies to remediate it by January 30, 2026.
Show sources
- Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected — thehackernews.com — 28.01.2026 06:49