CVE Tools
Back to blog

CVE-2026-24858 and FortiBleed: the Fortinet auth bypass behind a credential gold rush

A patched FortiCloud SSO authentication bypass — and the honest story of how it feeds the 86,000-device FortiBleed campaign

CVE-2026-24858 keeps showing up in coverage of FortiBleed — the credential-harvesting campaign that exposed tens of thousands of Fortinet devices — so it's worth separating the two cleanly. The CVE is a specific, already-patched FortiCloud SSO authentication bypass. FortiBleed is a sprawling credential-theft operation that benefits from past exploitation of bugs like this one. Conflating them leads to the wrong response.

What CVE-2026-24858 is

Per Fortinet's advisory (FG-IR-26-060), CVE-2026-24858 is an authentication bypass using an alternate path or channel (CWE-288) — a FortiCloud SSO login bypass. It scores CVSS 9.8 (Critical), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-reachable and pre-authentication. It was patched in January 2026 and added to CISA's KEV catalog on January 27, 2026. It's one of three related SSO auth-bypass flaws Fortinet fixed around that time, alongside CVE-2025-59718 and CVE-2025-59719 (patched December 2025).

Its role in FortiBleed

FortiBleed surfaced when researcher Bob Diachenko found an exposed database holding plaintext credentials for tens of thousands of FortiGate and Fortinet VPN devices. SOCRadar put the count at 86,644 devices across 194 countries — roughly half of internet-exposed Fortinet infrastructure. Fortinet's own analysis is the important caveat here:

This activity is not related to any recent incident or advisory.
— Fortinet PSIRT

Fortinet attributes FortiBleed to credential reuse from prior incidents plus brute-force against devices with weak passwords and no MFA — not a new vulnerability. It does note that the earlier exploitation of the three SSO auth-bypass bugs (CVE-2026-24858, CVE-2025-59718, CVE-2025-59719) helped attackers harvest credentials. So CVE-2026-24858's part in this story is upstream — it fed the credential pool — rather than being the live exploit FortiBleed runs today.

Am I affected?

CVE-2026-24858 affects multiple Fortinet product families on the 7.0–7.6 branches. Check FG-IR-26-060 for the exact fixed build for your product, but at a glance:

ItemDetail
VulnerabilityCVE-2026-24858 — FortiCloud SSO authentication bypass (CWE-288), CVSS 9.8
Affected productsFortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiNAC-F (7.0 / 7.2 / 7.4 / 7.6 branches)
Related fixesCVE-2025-59718 and CVE-2025-59719 (December 2025)
FixApply the January 2026 update per Fortinet advisory FG-IR-26-060
KEVAdded 2026-01-27 (confirmed in-the-wild exploitation)
Live threatFortiBleed credential campaign — treat exposed/weak-password Fortinet devices as compromised

FortiBleed: what the campaign actually does

  • Mass-scans the internet (Masscan / Shodan) for Fortinet remote-login interfaces, then brute-forces with leaked and default credentials.
  • On compromised FortiGates, deploys a Go implant ('FortigateSniffer') that abuses the legitimate diagnose sniffer packet command to passively capture credentials across ~24 protocols (Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, MSSQL and more).
  • Ships captured hashes to a GPU cluster (Hashcat / Hashtopolis), then validates and uses the cracked credentials for Active Directory recon and lateral movement; also steals session cookies.
  • Has expanded beyond Fortinet to Synology NAS, Sophos firewalls, RDWeb, Citrix SSL-VPN, exposed RDP and MS-SQL.
  • Disproportionately targets MSPs and small organizations (US and India prominent) — compromising an MSP opens a path to its clients.

What to do now

  1. Patch CVE-2026-24858 (and CVE-2025-59718 / CVE-2025-59719) if you haven't — apply the fixes in Fortinet's advisories.
  2. Assume credential compromise for any internet-exposed or weak-password Fortinet device: terminate all admin and VPN sessions and rotate every credential.
  3. Enforce MFA on all administrator and VPN accounts, and upgrade to releases that support PBKDF2 hashing of admin credentials.
  4. Hunt for the implant and abuse: review configs and accounts for unauthorized changes, check logs for unexpected admin access and diagnose sniffer packet use, and restrict management to trusted hosts.
  5. Cross-check exposure against published FortiBleed datasets (e.g. Huntress, Hudson Rock) to see if your devices appear.

FAQ

Is CVE-2026-24858 the FortiBleed vulnerability?
No. Fortinet states FortiBleed does not exploit a new vulnerability — it's credential reuse and brute-force. CVE-2026-24858 is one of three SSO auth-bypass bugs whose earlier exploitation helped harvest the credentials FortiBleed now abuses.
Is CVE-2026-24858 patched?
Yes. Fortinet fixed it in January 2026 (advisory FG-IR-26-060). It was added to CISA KEV on January 27, 2026 because it was exploited before the fix.
Which products are affected?
FortiOS, FortiProxy, FortiManager, FortiAnalyzer and FortiNAC-F across the 7.0–7.6 branches. Check FG-IR-26-060 for the exact fixed build for your product.
Who is behind FortiBleed?
Attribution is unconfirmed. Unit 42 and some researchers tentatively associate it with a Russian-speaking access broker ('SantaAd'), but this has not been independently corroborated.