{"id":10261,"date":"2026-01-30T10:03:36","date_gmt":"2026-01-30T10:03:36","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/30\/3280081-fortinet-devices-online-with-exposed-web-properties-under-risk\/"},"modified":"2026-01-30T10:03:36","modified_gmt":"2026-01-30T10:03:36","slug":"3280081-fortinet-devices-online-with-exposed-web-properties-under-risk","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/30\/3280081-fortinet-devices-online-with-exposed-web-properties-under-risk\/","title":{"rendered":"3,280,081 Fortinet Devices Online With Exposed Web Properties Under Risk"},"content":{"rendered":"<p>    3,280,081 Fortinet Devices Online With Exposed Web Properties Under Risk<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Over 3,280,081 Fortinet Devices Were exposed, with web properties running vulnerable Fortinet devices <span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">affected by\u00a0<a href=\"https:\/\/cybersecuritynews.com\/fortinet-forticloud-sso-vulnerability\/\" target=\"_blank\" rel=\"noopener\">CVE-2026-24858<\/a>, a severe authentication-bypass<\/span> flaw actively exploited in the wild.<\/p>\n<p>The vulnerability, rated 9.4 on the CVSS scale, affects multiple Fortinet product lines, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-critical-authentication-bypass-exploited-in-active-attacks\"><strong>Critical Authentication Bypass Exploited in Active Attacks<\/strong><\/h2>\n<p>CVE-2026-24858 allows threat actors with a FortiCloud account and a registered device to authenticate into other organizations\u2019 devices when FortiCloud SSO is enabled.<\/p>\n<p>While this feature is disabled by default, administrators frequently enable it during FortiCare device registration unless they explicitly toggle off the \u201cAllow administrative login using FortiCloud SSO\u201d option.<\/p>\n<p>CISA <a href=\"https:\/\/cybersecuritynews.com\/forticloud-sso-authentication-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener\">added<\/a> the vulnerability to its Known Exploited Vulnerabilities catalog on January 27, 2026, establishing a remediation deadline of January 30, 2026, the same day as this report.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Field<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>CVE<\/strong><\/td>\n<td>\n<strong>CVE-2026-24858<\/strong> (CVSS 9.4)<\/td>\n<\/tr>\n<tr>\n<td><strong>Issue<\/strong><\/td>\n<td>Critical auth bypass via FortiCloud SSO allowing cross-account device access<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Products<\/strong><\/td>\n<td>FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb<\/td>\n<\/tr>\n<tr>\n<td><strong>Vulnerable Versions<\/strong><\/td>\n<td>Multiple versions across 7.x\u20138.x branches<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Fortinet confirmed active exploitation on January 22, 2026, identifying two malicious FortiCloud accounts, cloud-noc@mail.io and\u00a0cloud-init@mail.io, responsible for the attacks.<\/p>\n<p>Threat actors leveraged the vulnerability to download device configurations and establish persistence.<\/p>\n<p>By creating local administrator accounts with familiar names such as \u201caudit,\u201d \u201cbackup,\u201d \u201citadmin,\u201d \u201csecadmin,\u201d \u201csupport,\u201d \u201csvcadmin,\u201d or \u201csystem.\u201d<\/p>\n<p>In response, Fortinet temporarily disabled FortiCloud SSO on January 26, 2026, and re-enabled it the following day with version-based restrictions blocking vulnerable devices from authentication.<\/p>\n<p>The vulnerability affects a wide range of versions across Fortinet\u2019s enterprise security portfolio.<\/p>\n<p>FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18 require <a href=\"https:\/\/cybersecuritynews.com\/fortinet-forticloud-sso-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">immediate patching<\/a>.<\/p>\n<p>FortiManager and FortiAnalyzer share similar vulnerable version ranges, while FortiProxy and FortiWeb face exposure across multiple major releases. FortiSwitch Manager remains under investigation.<\/p>\n<p>Patches are currently available for select branches, with FortiOS requiring upgrades to version 7.4.11 or 7.6.6, FortiManager needing 7.4.10 or 7.6.6, and FortiAnalyzer requiring 7.2.12 or 7.0.16.<\/p>\n<p>According to the Censys <a href=\"https:\/\/censys.com\/advisory\/cve-2026-24858\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">advisory<\/a>, organizations that cannot patch immediately should disable FortiCloud SSO and review all admin accounts for unauthorized users matching attacker-created naming patterns.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/fortinet-devices-exposed-web-properties\/\">3,280,081 Fortinet Devices Online With Exposed Web Properties Under Risk<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/fortinet-devices-exposed-web-properties\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>3,280,081 Fortinet Devices Online With Exposed Web Properties Under Risk Over 3,280,081 Fortinet Devices Were exposed, with web properties running vulnerable Fortinet devices affected by\u00a0CVE-2026-24858, a severe authentication-bypass flaw actively exploited in the wild. The vulnerability, rated 9.4 on the CVSS scale, affects multiple Fortinet product lines, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. Critical [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-10261","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10261"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10261"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10261\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}