CVE-2026-24858
Published: 27 January 2026
Summary
CVE-2026-24858 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2026-24858 is an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products when FortiCloud SSO authentication is enabled. Impacted versions include FortiAnalyzer 7.0.0–7.0.15, 7.2.0–7.2.11, 7.4.0–7.4.9 and 7.6.0–7.6.5; FortiManager in the same ranges; FortiNAC-F 7.6.3–7.6.5; FortiOS 7.0.0–7.0.18, 7.2.0–7.2.12, 7.4.0–7.4.10 and 7.6.0–7.6.5; FortiProxy 7.0.0–7.0.22, 7.2.0–7.2.15, 7.4.0–7.4.12 and 7.6.0–7.6.4; and FortiWeb 7.4.0–7.4.11, 7.6.0–7.6.6 and 8.0.0–8.0.3. The flaw permits an attacker to authenticate to devices they do not own by leveraging an alternate path through FortiCloud SSO.
An attacker who possesses a valid FortiCloud account and at least one registered device can exploit the issue to obtain administrative access to other organizations’ devices that also have FortiCloud SSO enabled. Successful exploitation grants full control equivalent to a legitimate administrator, including the ability to read, modify or delete configuration and data on the affected appliances. The vulnerability carries a CVSS 3.1 score of 9.8.
Fortinet advisory FG-IR-26-060 and the associated analysis blog describe the root cause and recommend immediate upgrade to the fixed releases listed in the bulletin; organizations that cannot patch promptly are advised to disable FortiCloud SSO authentication. The issue also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
EPSS for the CVE rose sharply from a low baseline to a peak of 0.1645 on 28 January 2026 before receding to the current value of 0.0480, indicating a clear post-disclosure increase in exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4712
Vulnerability details
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0…
more
through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
- CWE(s)
- KEV Date Added
- 27 January 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-24858 is an authentication bypass in public-facing Fortinet management and security products (e.g., FortiOS, FortiWeb), enabling unauthenticated remote exploitation for unauthorized access, directly mapping to Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authenticated access decisions so that a FortiCloud SSO token from one account cannot be used to reach devices registered to another account.
Requires verified identification and authentication of organizational users before granting session access, blocking the alternate-path bypass described in CWE-288.
Governs the integration and trust decisions made with external identity providers such as FortiCloud SSO, directly addressing the flawed SSO path that enables cross-account login.