CVE-2026-24858 and FortiBleed: the Fortinet auth bypass behind a credential gold rush
A patched FortiCloud SSO authentication bypass — and the honest story of how it feeds the 86,000-device FortiBleed campaign

CVE-2026-24858 keeps showing up in coverage of FortiBleed — the credential-harvesting campaign that exposed tens of thousands of Fortinet devices — so it's worth separating the two cleanly. The CVE is a specific, already-patched FortiCloud SSO authentication bypass. FortiBleed is a sprawling credential-theft operation that benefits from past exploitation of bugs like this one. Conflating them leads to the wrong response.
What CVE-2026-24858 is
Per Fortinet's advisory (FG-IR-26-060), CVE-2026-24858 is an authentication bypass using an alternate path or channel (CWE-288) — a FortiCloud SSO login bypass. It scores CVSS 9.8 (Critical), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-reachable and pre-authentication. It was patched in January 2026 and added to CISA's KEV catalog on January 27, 2026. It's one of three related SSO auth-bypass flaws Fortinet fixed around that time, alongside CVE-2025-59718 and CVE-2025-59719 (patched December 2025).
Its role in FortiBleed
FortiBleed surfaced when researcher Bob Diachenko found an exposed database holding plaintext credentials for tens of thousands of FortiGate and Fortinet VPN devices. SOCRadar put the count at 86,644 devices across 194 countries — roughly half of internet-exposed Fortinet infrastructure. Fortinet's own analysis is the important caveat here:
This activity is not related to any recent incident or advisory.
Fortinet attributes FortiBleed to credential reuse from prior incidents plus brute-force against devices with weak passwords and no MFA — not a new vulnerability. It does note that the earlier exploitation of the three SSO auth-bypass bugs (CVE-2026-24858, CVE-2025-59718, CVE-2025-59719) helped attackers harvest credentials. So CVE-2026-24858's part in this story is upstream — it fed the credential pool — rather than being the live exploit FortiBleed runs today.
Am I affected?
CVE-2026-24858 affects multiple Fortinet product families on the 7.0–7.6 branches. Check FG-IR-26-060 for the exact fixed build for your product, but at a glance:
| Item | Detail |
|---|---|
| Vulnerability | CVE-2026-24858 — FortiCloud SSO authentication bypass (CWE-288), CVSS 9.8 |
| Affected products | FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiNAC-F (7.0 / 7.2 / 7.4 / 7.6 branches) |
| Related fixes | CVE-2025-59718 and CVE-2025-59719 (December 2025) |
| Fix | Apply the January 2026 update per Fortinet advisory FG-IR-26-060 |
| KEV | Added 2026-01-27 (confirmed in-the-wild exploitation) |
| Live threat | FortiBleed credential campaign — treat exposed/weak-password Fortinet devices as compromised |
FortiBleed: what the campaign actually does
- Mass-scans the internet (Masscan / Shodan) for Fortinet remote-login interfaces, then brute-forces with leaked and default credentials.
- On compromised FortiGates, deploys a Go implant ('FortigateSniffer') that abuses the legitimate
diagnose sniffer packetcommand to passively capture credentials across ~24 protocols (Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, MSSQL and more). - Ships captured hashes to a GPU cluster (Hashcat / Hashtopolis), then validates and uses the cracked credentials for Active Directory recon and lateral movement; also steals session cookies.
- Has expanded beyond Fortinet to Synology NAS, Sophos firewalls, RDWeb, Citrix SSL-VPN, exposed RDP and MS-SQL.
- Disproportionately targets MSPs and small organizations (US and India prominent) — compromising an MSP opens a path to its clients.
What to do now
- Patch CVE-2026-24858 (and CVE-2025-59718 / CVE-2025-59719) if you haven't — apply the fixes in Fortinet's advisories.
- Assume credential compromise for any internet-exposed or weak-password Fortinet device: terminate all admin and VPN sessions and rotate every credential.
- Enforce MFA on all administrator and VPN accounts, and upgrade to releases that support PBKDF2 hashing of admin credentials.
- Hunt for the implant and abuse: review configs and accounts for unauthorized changes, check logs for unexpected admin access and
diagnose sniffer packetuse, and restrict management to trusted hosts. - Cross-check exposure against published FortiBleed datasets (e.g. Huntress, Hudson Rock) to see if your devices appear.