February 4, 2026 More than three million Fortinet devices have been exposed to a critical authentication-bypass vulnerability that is being actively exploited, prompting urgent warnings from U.S. and industry security agencies. Researchers estimate at least 3.28 million internet-facing devices were vulnerable at the peak of exposure.

The flaw, tracked as CVE-2026-24858 and rated 9.4 out of 10 in severity, affects multiple products across Fortinet’s enterprise security portfolio, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy and FortiWeb. 

The vulnerability allows attackers with a FortiCloud account and a registered device to authenticate into other organizations’ Fortinet appliances when FortiCloud single sign-on (SSO) is enabled. While the SSO feature is disabled by default, Fortinet noted that it is often turned on during FortiCare registration unless administrators explicitly opt out.

Fortinet confirmed on Jan. 22 that the flaw was being exploited in real-world attacks. The company said two malicious FortiCloud accounts were identified abusing the issue to access customer devices, download configurations and establish long-term persistence.

According to Fortinet, attackers created local administrator accounts using generic and familiar names such as “audit,” “backup,” “itadmin,” “secadmin,” “support” and “system,” making them difficult to spot during routine reviews.

The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, added CVE-2026-24858 to its Known Exploited Vulnerabilities catalogue on Jan. 27, setting a remediation deadline of Jan. 30 for affected organizations.

In response to the attacks, Fortinet temporarily disabled FortiCloud SSO on Jan. 26. The service was restored the following day with new restrictions that block vulnerable devices from authenticating until they are patched.

The exposure spans a wide range of software versions. FortiOS releases from the 7.0, 7.2, 7.4 and 7.6 branches are affected, alongside comparable versions of FortiManager and FortiAnalyzer. FortiProxy and FortiWeb are also impacted across several major releases, while FortiSwitch Manager remains under investigation.

Patches are available for select branches, with Fortinet urging customers to upgrade FortiOS to versions 7.4.11 or 7.6.6, FortiManager to 7.4.10 or 7.6.6, and FortiAnalyzer to 7.2.12 or 7.0.16. Internet intelligence firm Censys said organizations unable to patch immediately should disable FortiCloud SSO as a temporary mitigation and audit all administrative accounts for suspicious users matching the attacker naming patterns.