Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected

Estimated Reading Time: 7 minutes

Key Takeaways:

  • Critical Vulnerability: Fortinet has addressed CVE-2026-24858 (CVSS 9.4), an authentication bypass being actively exploited in the wild.
  • State-Sponsored Sabotage: Russian group ELECTRUM targeted Polish power grids, focusing on the physical destruction of OT equipment.
  • Law Enforcement Action: The FBI successfully seized the RAMP cybercrime forum, a major hub for ransomware operations.
  • Supply Chain Risk: eScan antivirus update servers were compromised to distribute malware via a legitimate-looking update process.
  • Critical Patching: SolarWinds released urgent fixes for multiple RCE and authentication bypass flaws in its Web Help Desk software.

Table of Contents

Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected

On January 28, 2026, Fortinet confirmed the release of critical security patches to address an authentication bypass vulnerability impacting FortiOS, FortiManager, and FortiAnalyzer. The vulnerability, identified as CVE-2026-24858, has a CVSS score of 9.4 and is currently under active exploitation by unidentified threat actors. This incident follows a series of reports indicating that attackers have successfully bypassed Single Sign-On (SSO) mechanisms to gain administrative access to network security appliances.

Fortinet device security alert and vulnerability mitigation

The core of the issue resides in an “Authentication Bypass Using an Alternate Path or Channel” [CWE-288] within the FortiCloud SSO authentication flow. Under specific conditions, an attacker possessing a valid FortiCloud account and a registered device can gain unauthorized access to other devices registered under different accounts, provided those devices have FortiCloud SSO enabled for administrative login.

While FortiCloud SSO is not enabled by default in factory settings, it is often activated during the device registration process via the Graphical User Interface (GUI). Unless administrators manually disable the “Allow administrative login using FortiCloud SSO” toggle, the device remains susceptible to this bypass.

In documented cases of exploitation, threat actors utilized this bypass to create local administrator accounts, ensuring persistent access. These accounts were then used to modify configurations, specifically granting VPN access, and to exfiltrate firewall configuration files. The exfiltration of these files is a high-risk event, as it provides attackers with a roadmap of the internal network and existing security policies.

Fortinet’s response involved a multi-stage remediation process. On January 22, 2026, the company locked two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io). By January 26, FortiCloud SSO was disabled globally on the provider side, and it was re-enabled on January 27 with mandatory restrictions preventing logins from devices running vulnerable firmware. Consequently, the use of a cyber threat intelligence platform has become essential for organizations to track these rapid changes in the threat landscape.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog. This designation requires Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by January 30, 2026. Furthermore, investigation continues into whether FortiSwitch Manager and FortiWeb are fully impacted, though initial guidance suggests FortiProxy and FortiWeb users should also prioritize updates.

Russian ELECTRUM and the Targeting of Polish Power Grids

Simultaneous to the Fortinet exploitation, a coordinated cyber attack targeted the Polish power grid in late December 2025. Analysis attributed this activity to ELECTRUM, a Russian state-sponsored group with links to the Sandworm (APT44) cluster. This incident represents a significant escalation in the targeting of distributed energy resources (DERs).

The attack affected communication and control systems at combined heat and power (CHP) facilities, as well as wind and solar site management. Although the attack did not trigger widespread power outages, the adversaries successfully disabled operational technology (OT) equipment beyond repair. This level of physical disruption indicates a shift from mere reconnaissance to active sabotage.

The operational model employed involves a clear division of labor between two sub-groups: KAMACITE (Initial access) and ELECTRUM (OT execution and sabotage).

In the Poland incident, the attackers gained access to Remote Terminal Units (RTUs) and communication infrastructure. After establishing a foothold, they wiped Windows-based devices to hinder recovery efforts and reset configurations to brick essential hardware. This case demonstrates the necessity of supply-chain risk monitoring and a deep understanding of OT-specific threats. Threat actors are no longer content with data theft; they are increasingly focused on the destruction of critical infrastructure.

FBI Seizure of the RAMP Cybercrime Forum

The landscape of ransomware operations faced a disruption on January 28, 2026, when the FBI seized the RAMP cybercrime forum. RAMP, known for its slogan “THE ONLY PLACE RANSOMWARE ALLOWED,” served as a primary hub for ransomware-as-a-service (RaaS) recruitment, malware advertising, and network access sales.

The seizure involved both the Tor onion service and the clearnet domain ramp4u[.]io. Law enforcement now potentially holds access to a significant volume of metadata, including IP addresses, private messages, and financial transaction records of forum participants. This data is critical for underground forum intelligence and can lead to the identification of affiliates and core operators.

RAMP was established in July 2021 by a threat actor known as “Orange” (linked to Mikhail Matveev), following the ban on ransomware promotion by other major forums like XSS and Exploit. The forum’s history was marked by internal disputes, particularly after the Babuk ransomware attack on the D.C. Metropolitan Police Department. The seizure of RAMP forces threat actors to migrate to other platforms, often increasing their reliance on telegram threat monitoring to maintain communication channels and coordinate attacks.

Supply Chain Compromise: eScan Antivirus Update Breach

In a critical supply chain incident, MicroWorld Technologies, the developer of eScan antivirus, confirmed that one of its regional update servers was compromised. On January 20, 2026, during a two-hour window, the server distributed a malicious update to a subset of customers.

The breach allowed attackers to place a modified version of the legitimate Reload.exe component into the distribution path. Although the file appeared to be signed with an eScan certificate, the signature was invalid. The malicious update performed several functions:

  • Established persistence on the endpoint.
  • Modified the Windows HOSTS file to block future legitimate updates from eScan servers.
  • Connected to Command and Control (C2) infrastructure to download second-stage payloads.

The final payload, identified as CONSCTLX.exe, functioned as a persistent downloader and backdoor. Persistence was further maintained through scheduled tasks disguised as system utilities (e.g., “CorelDefrag”). This incident underscores the risk inherent in trusted update mechanisms and the need for breach detection capabilities that can identify anomalous behavior even within signed processes. Organizations must utilize real-time ransomware intelligence to detect and block the specific C2 domains used in such sophisticated supply chain attacks.

SolarWinds Web Help Desk Critical Vulnerabilities

SolarWinds has issued patches for multiple critical vulnerabilities in its Web Help Desk (WHD) software. These flaws include authentication bypasses and remote command execution (RCE) capabilities that can be exploited by unauthenticated remote attackers.

Key vulnerabilities addressed in the 2026.1 update include:

  • CVE-2025-40552 & CVE-2025-40554: Authentication bypass flaws allowing unauthorized access to the application.
  • CVE-2025-40553: An untrusted data deserialization flaw leading to RCE.
  • CVE-2025-40551: A second RCE vulnerability exploitable by unauthenticated actors.
  • CVE-2025-40537: High-severity hardcoded credentials granting administrative access.

Historical data shows that SolarWinds WHD vulnerabilities are frequently targeted by attackers. Previous RCE flaws in this product were exploited in the wild for over a year before comprehensive patches and CISA mandates were finalized. Given the wide adoption of WHD in healthcare, education, and government sectors, the immediate application of updates is necessary to prevent widespread exploitation.

Technical Remediation and Practical Takeaways

The convergence of these threats-network infrastructure zero-days, OT sabotage, forum seizures, and supply chain compromises-requires a structured approach to defense.

For Technical Teams:

  • Firmware Management: Immediately upgrade Fortinet devices to the latest firmware versions. If an upgrade is not immediate, disable the “Allow administrative login using FortiCloud SSO” setting.
  • Credential Rotation: In the event of a suspected Fortinet or SolarWinds compromise, rotate all administrative credentials. This includes LDAP or Active Directory accounts synced with these appliances.
  • Integrity Verification: For eScan users, run the provided remediation tool to restore HOSTS files and verify the integrity of the Reload.exe binary.
  • OT Segmentation: Ensure that OT environments are logically and physically segmented from IT networks. Use supply-chain risk monitoring to audit the security posture of RTU and ICS vendors.
  • API Integration: Utilize a live ransomware API to ingest Indicators of Compromise (IoCs) directly into security orchestration tools.

For Business Leaders and Management:

  • Audit SSO Policies: Review where Single Sign-On is utilized for administrative access. Misconfiguration in edge security devices creates a single point of failure.
  • Resource Allocation: Prioritize the patching of internet-facing management consoles, such as SolarWinds Web Help Desk.
  • Intelligence Strategy: Invest in brand leak alerting and a dark web monitoring service to identify if configuration files or credentials have been leaked.
  • Incident Response: Update incident response plans to include scenarios for physical equipment destruction, ensuring hardware spares are readily available.

PurpleOps Expertise in Threat Mitigation

The complexity of modern cyber threats requires more than just reactive patching. PurpleOps provides the specialized expertise necessary to navigate these challenges through comprehensive security services and advanced monitoring solutions.

Our Cyber Threat Intelligence platform enables organizations to stay ahead of actors like ELECTRUM by providing deep insights into their tactics, techniques, and procedures (TTPs). By integrating underground forum intelligence and telegram threat monitoring, PurpleOps identifies emerging threats and credential leaks before they are utilized in an active campaign.

For organizations managing critical infrastructure or complex supply chains, our services are designed to detect the subtle indicators of a breach. Whether it is identifying an authentication bypass on a firewall or detecting a malicious update in a security product, PurpleOps offers the tools and expertise required for modern defense.

Explore how our specialized services can secure your environment:

Frequently Asked Questions

How can I tell if my Fortinet device was compromised via CVE-2026-24858?
Check for unauthorized local administrator accounts and review system logs for logins originating from the malicious FortiCloud accounts cloud-noc@mail.io and cloud-init@mail.io. Look for configuration changes related to VPN settings or file exfiltration logs.

Is FortiCloud SSO enabled by default?
No, it is not enabled in factory settings. However, it is frequently enabled by administrators during the initial registration process through the GUI. If you haven’t explicitly disabled it, your device may be vulnerable.

What was the primary goal of the ELECTRUM attacks in Poland?
Unlike typical cyber espionage aimed at data theft, ELECTRUM focused on physical sabotage. They manipulated OT control systems to disable hardware beyond repair, specifically targeting energy infrastructure.

Why is the FBI seizure of the RAMP forum significant?
RAMP was a major hub for ransomware coordination. The seizure allows law enforcement to collect metadata, private communications, and financial records that can lead to the identification and prosecution of high-level ransomware operators and affiliates.

What should eScan users do following the supply chain breach?
Users should immediately run the official remediation tool provided by MicroWorld Technologies to restore the HOSTS file and verify the integrity of the Reload.exe binary to ensure no persistence or backdoors remain.