Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected
Estimated reading time: 8 minutes
Key Takeaways:
- CVE-2026-24858 is a critical authentication bypass in FortiOS Single Sign-On (SSO) with a CVSS score of 9.4, currently under active exploitation.
- Attackers are using rogue FortiCloud accounts to gain administrative access, exfiltrate configurations, and establish persistence via new VPN accounts.
- Microsoft has released emergency patches for CVE-2026-21509, an Office zero-day vulnerability bypassing OLE security mitigations.
- The World Leaks ransomware group (formerly Hunters International) has targeted Nike in a 1.4 TB data extortion campaign.
- Immediate action is required for legacy systems, as over 800,000 servers remain exposed via the insecure Telnet protocol.
Table of Contents
- Technical Analysis: Fortinet Patches CVE-2026-24858
- Microsoft Office Zero-Day: CVE-2026-21509
- Extortion and Data Leaks: The Nike Incident
- Critical Infrastructure Defense: Thwarting Russian Wiper Malware
- Legacy Protocol Risks: Telnet Exposure
- Professional Analysis of Current Threats
- Practical Takeaways for Technical Teams
- Practical Takeaways for Business Leaders
- PurpleOps Expertise and Services
- Frequently Asked Questions
The security environment for January 2026 is currently defined by critical vulnerabilities in widely deployed enterprise software. On January 27, 2026, Fortinet released emergency patches to address a high-severity authentication bypass vulnerability. This flaw, identified as CVE-2026-24858, directly impacts FortiOS, FortiManager, and FortiAnalyzer. Evidence confirms active exploitation in the wild, leading to the unauthorized creation of administrative accounts and configuration exfiltration.
At PurpleOps, our cyber threat intelligence platform monitors such developments in real-time to provide context for infrastructure defense. The following analysis details the technical specifics of CVE-2026-24858, concurrent zero-day threats in the Microsoft ecosystem, and recent extortion activities targeting global brands.
Technical Analysis: Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected
CVE-2026-24858 carries a CVSS score of 9.4, classifying it as a critical security flaw. The vulnerability is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel. It resides within the Single Sign-On (SSO) mechanism of FortiOS. Specifically, an attacker with an existing FortiCloud account and a registered device can exploit this bypass to gain access to other devices registered under different accounts, provided that FortiCloud SSO authentication is enabled on the target systems.
The exploitation process identified by researchers indicates that threat actors utilized a “new attack path” to achieve SSO logins without valid credentials. Once access is gained, actors have been observed performing the following actions:
- Creating local administrator accounts to ensure persistent access.
- Modifying system configurations to grant VPN access to these unauthorized accounts.
- Exfiltrating firewall configuration files, which often contain sensitive architectural data and credential hashes.
Fortinet has identified two specific malicious FortiCloud accounts used in these campaigns: cloud-noc@mail.io and cloud-init@mail.io. These accounts were disabled on January 22, 2026. Further remediation involved disabling FortiCloud SSO globally on January 26, followed by a selective re-enabling on January 27. The current state allows SSO functionality only for devices running updated, non-vulnerable firmware versions.
While FortiCloud SSO is not enabled in factory default settings, it is frequently activated during the registration process to FortiCare via the Graphical User Interface (GUI).
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to the Known Exploited Vulnerabilities (KEV) catalog on January 28, 2026. Organizations should integrate real-time ransomware intelligence to identify if these access methods are being sold as initial access vectors on the dark web.
Microsoft Office Zero-Day: CVE-2026-21509
Simultaneous with the Fortinet activity, Microsoft issued out-of-band patches for CVE-2026-21509. This vulnerability is a security feature bypass in Microsoft Office with a CVSS score of 7.8. The flaw allows an attacker to bypass Object Linking and Embedding (OLE) mitigations designed to protect users from malicious COM/OLE controls.
Exploitation requires a victim to open a specially crafted Office file sent by the attacker. While the Preview Pane is not a viable attack vector for this specific flaw, the reliance on untrusted inputs for security decisions makes it a potent tool for targeted phishing.
For Office 2016 and 2019, manual updates are required. Engineers are advised to verify the following build versions:
• Microsoft Office 2019: 16.0.10417.20095
• Microsoft Office 2016: 16.0.5539.1001
These mitigations are critical for organizations managing a complex software inventory where supply-chain risk monitoring is a priority.
Extortion and Data Leaks: The Nike Incident
The ransomware group known as “World Leaks” recently listed Nike on its dark web data-leak site. The group claims to have exfiltrated 1.4 TB of data, totaling approximately 190,000 files. These files reportedly contain proprietary corporate data and details concerning business operations.
World Leaks is a rebrand of the “Hunters International” group. In January 2025, the group shifted its strategy from traditional file encryption to a pure data theft and extortion model. This shift suggests that the group views the risks associated with deploying locker malware as exceeding the potential rewards, favoring the lower profile of silent data exfiltration.
This case demonstrates the necessity of a dark web monitoring service and brand leak alerting to detect data exposure before it becomes public knowledge.
Critical Infrastructure Defense: Thwarting Russian Wiper Malware
In late December 2025, Poland successfully blocked a disruptive cyberattack targeting its energy sector. Attribution by ESET points to Sandworm (also known as APT44 or Seashell Blizzard), a unit of Russia’s GRU (Unit 74455).
The attackers deployed a new variant of wiper malware dubbed “DynoWiper.” This malware is designed for data destruction rather than espionage, intended to render systems inoperable by permanently erasing critical files. While the hackers gained entry to the systems, Polish security measures prevented the execution of the destructive payload.
Legacy Protocol Risks: Telnet Exposure
Recent scans indicate that approximately 800,000 servers remain exposed via the Telnet protocol, a legacy system that transmits data, including credentials, in cleartext. Active attacks are currently targeting these servers to enlist them into botnets or use them as pivot points for internal network penetration.
The continued use of Telnet in production environments represents a significant failure in basic security hygiene. Remediation requires the immediate transition to encrypted protocols like SSH and the implementation of strict firewall rules to block port 23.
Professional Analysis of Current Threats
The convergence of these events illustrates a period of high activity for both state-sponsored actors and financially motivated extortionists. The Fortinet SSO bypass is particularly concerning because it targets the very infrastructure used to secure remote access. When an authentication bypass exists in a security appliance, the entire zero-trust architecture is undermined.
Similarly, the transition of groups like Hunters International to the World Leaks extortion-only model reflects a maturation of the cybercrime economy. By focusing on data theft, they reduce the technical complexity of their operations while maintaining high leverage over victims through the threat of regulatory fines and brand damage.
Practical Takeaways for Technical Teams
- Patch Management: Prioritize the update of Fortinet devices to the latest firmware. If an immediate update is not possible, disable the “Allow administrative login using FortiCloud SSO” feature in the GUI.
- Audit for Compromise: Check for unauthorized local admin accounts or modifications to VPN settings. Look for associations with
cloud-noc@mail.ioorcloud-init@mail.io. - Microsoft Office Mitigation: Deploy the registry-based OLE bypass mitigations to workstations running Office 2016 or 2019.
- Credential Rotation: If compromise is suspected, rotate all administrative credentials and secrets, including integrated LDAP/AD accounts.
- Protocol Hardening: Conduct a global scan for Telnet (Port 23) and replace it with SSH (Port 22) immediately.
Practical Takeaways for Business Leaders
- Review SSO Policies: Verify whether FortiCloud SSO is used for administrative access and ensure it is properly configured.
- Incident Response Readiness: Review incident response plans to include specific playbooks for data extortion and regulatory communication.
- Third-Party Risk: Ensure that supply-chain risk monitoring is integrated into your procurement process.
- Investment in Intelligence: Utilize a cyber threat intelligence platform to stay ahead of zero-day vulnerabilities.
PurpleOps Expertise and Services
Navigating this complex threat environment requires more than just reactive patching. PurpleOps provides the tools and expertise necessary to identify vulnerabilities before they are exploited.
Our PurpleOps Solutions services are designed to identify the subtle signs of persistence. By combining dark web monitoring service capabilities with underground forum intelligence, we provide a clear view of the threats targeting your specific industry.
For organizations concerned about the integrity of their network perimeter, our and red team operations simulate the tactics of advanced persistent threats like Sandworm.
Explore our platform and services to secure your infrastructure:
• PurpleOps Cybersecurity Platform
• PurpleOps Solutions
• Cyber Threat Intelligence
• Dark Web Monitoring
• Ransomware Protection
•
• Red Team Operations
• Supply Chain Security
Frequently Asked Questions
What is CVE-2026-24858?
It is a critical authentication bypass vulnerability (CVSS 9.4) in FortiOS Single Sign-On that allows attackers with a registered FortiCloud device to access other systems without valid credentials.
Is FortiCloud SSO enabled by default?
No, it is not enabled by default but is often activated during the FortiCare registration process through the GUI.
Which Microsoft Office versions are affected by CVE-2026-21509?
Microsoft Office 2016, 2019, 2021, and Microsoft 365 are affected. Office 2016 and 2019 require manual updates to specific build versions.
Who is the “World Leaks” group?
World Leaks is a rebranding of the Hunters International ransomware group, which now focuses primarily on a data theft and extortion model rather than file encryption.
How do I check for compromise on my Fortinet device?
Administrators should audit local accounts for unknown users, check VPN configuration changes, and look for logs associated with the malicious accounts cloud-noc@mail.io and cloud-init@mail.io.