Over 3.28 million internet-connected devices are currently being actively exploited due to a critical authentication bypass vulnerability that affects Fortinet's enterprise security infrastructure This article explores fortinet enterprise security. . The vulnerability, which is tracked as CVE-2026-24858 with a CVSS severity score of 9.4, jeopardizes the integrity of FortiCloud Single Sign-On (SSO) mechanisms and may give unauthorized adversaries administrative access across several Fortinet product lines that serve government organizations, Fortune 500 companies, and operators of critical infrastructure. Vulnerability Overview and Technical Impact CVE-2026-24858 exploits a fundamental design flaw in FortiCloud SSO authentication logic. The vulnerability permits attackers possessing any valid FortiCloud account and registered device to authenticate against target devices registered under entirely different organizational accounts. This cross-account compromise scenario creates a horizontal privilege escalation pathway throughout Fortinet's global device ecosystem by getting around conventional multi-tenancy security boundaries. Without generating traditional audit logs or notifying system administrators, the authentication bypass mechanism enables adversaries to retrieve device configurations, reset administrative credentials, and create persistent backdoor access. The attack surface includes about 3,280,081 internet-exposed Fortinet appliances across several product families and deployment scenarios, according to Censys' threat intelligence analysis. Vulnerability Type Attack Vector Attack Complexity CVE-2026-24858 9.4 (Critical) Authentication Bypass Network Low CVE-ID CVSS Score Six significant Fortinet product lines across several version branches are affected by the vulnerability. Along with FortiManager (7.0.0-7.6.5), FortiAnalyzer (7.0.0-7.6.5), FortiProxy (7.0.0-7.6.4), and FortiWeb (7.4.0-8.0.3), FortiOS versions 7.0.0 through 7.6.5 are still at risk. Deployments of FortiSwitch Manager may also be vulnerable based on configuration details. On January 22, 2026, Fortinet identified two malicious FortiCloud accounts that were actively compromising vulnerable infrastructure: cloud-noc@mail.io and cloud-init@mail.io. Using popular naming conventions like "audit," "backup," "itadmin," "secadmin," "support," "svcadmin," and "system," the attackers methodically downloaded device configurations and established persistent local administrator accounts. Patched Versions of Product Vulnerabilities: FortiOS 7.0.0–7.6.5, 7.4.11, or 7.6.6 FortiManager 7.0.0–7.6.5, 7.4.10, or 7.6.6 that was actively exploited Actively Exploited FortiAnalyzer 7.0.0–7.6.5 7.2.12 or 7.0.16 Actively Exploited FortiProxy 7.0.0–7.6.4 7.4.10 or 7.6.6 Actively Exploited FortiWeb 7.4.0–8.0.3 Latest patches At Risk The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog on January 27, 2026, establishing a mandatory federal remediation deadline of January 30, 2026. This designation indicates that CISA has determined that there are immediate national security implications and that threat actors are actively exploiting U.S. government networks and critical infrastructure operators. On January 26, 2026, Fortinet first disabled FortiCloud SSO globally. On January 27, the authentication mechanism was reinstated with architectural limitations that prevented authentication attempts from vulnerable device versions. Companies need to audit systems for unauthorized local accounts that match known attacker naming patterns and upgrade to patched releases right away. When systems are suspected of being compromised, security teams should perform full device image forensics, check authentication event logs for unusual FortiCloud account activity, and review device configuration download logs for signs of unauthorized access. Organizations unable to patch immediately should disable FortiCloud SSO functionality until patched versions are deployed across their infrastructure footprint.