FORTINET has issued an urgent warning about a critical authentication bypass flaw in its core network platforms, including FortiOS, FortiManager and FortiAnalyzer, tracked as CVE-2026-24858 with a near-maximum CVSS score of 9.4. According to the security advisory, the flaw allows a remote attacker with a FortiCloud account and a registered device to log into other devices if FortiCloud SSO authentication is enabled.
Fortinet confirmed that threat actors have already weaponised this flaw to breach customer networks, with the advisory noting that “this vulnerability was found being exploited in the wild by two malicious FortiCloud accounts” using the email addresses cloud-noc@mail[.]io and cloud-init@mail[.]io to authenticate against victim devices.
Once inside, they were observed creating local administrative accounts to maintain persistence, and the malicious accounts were locked out on 22 January 2026, while Fortinet disabled the FortiCloud SSO mechanism server-side on 26 January 2026 and re-enabled it on 27 January 2026 for devices not running vulnerable versions.
Defenders are urged to scan logs for the mentioned email addresses and for traffic from Cloudflare-protected IPs such as 104.28.244[.]115, 104.28.212[.]114, 104.28.212[.]115, 104.28.195[.]105, 104.28.195[.]106, 104.28.227[.]106, 104.28.227[.]105 and 104.28.244[.]114, among others, and to upgrade to the latest FortiOS, FortiAnalyzer and FortiManager versions to ensure FortiCloud SSO authentication functions securely.