Cyber Posture

CVE-2026-24858

CriticalCISA KEVActive ExploitationUpdated

Published: 27 January 2026

Published
27 January 2026
Modified
12 May 2026
KEV Added
27 January 2026
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0395 88.5th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24858 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the authentication bypass by requiring timely remediation of the specific flaw through application of Fortinet vendor patches.

IA-13 Identity Providers and Authorization Servers good match
prevent

Manages risks associated with external identity providers like FortiCloud by requiring agreements, token validation, and monitoring to prevent cross-account SSO abuse.

IA-8 Identification and Authentication (Non-organizational Users) partial match
prevent

Enforces identification and authentication requirements for non-organizational users accessing via FortiCloud SSO, reducing the risk of unauthorized access to registered devices.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2026-24858 is an authentication bypass in public-facing Fortinet management and security products (e.g., FortiOS, FortiWeb), enabling unauthenticated remote exploitation for unauthorized access, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0…

more

through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Deeper analysisAI

CVE-2026-24858 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) affecting multiple Fortinet products when FortiCloud SSO authentication is enabled. The impacted components include FortiAnalyzer versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15; FortiManager versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15; FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18; FortiProxy versions 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2.0 through 7.2.15, and 7.0.0 through 7.0.22; and FortiWeb versions 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, and 7.4.0 through 7.4.11. Published on January 27, 2026, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker over the network with low complexity requirements can exploit this vulnerability if they possess a FortiCloud account and a device registered to that account. Successful exploitation enables the attacker to log into other devices registered to different FortiCloud accounts, bypassing authentication controls and gaining unauthorized access to those systems.

Fortinet's PSIRT advisory (FG-IR-26-060) at https://fortiguard.fortinet.com/psirt/FG-IR-26-060 provides details on patches and mitigations. Additional guidance appears in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858 and Fortinet's blog analysis of SSO abuse on FortiOS at https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios.

The vulnerability's inclusion in CISA's Known Exploited Vulnerabilities catalog indicates active real-world exploitation.

Details

CWE(s)
CWE-288
KEV Date Added
27 January 2026

Affected Products

fortinet
fortianalyzer
7.0.0 — 7.0.15 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.10
fortinet
fortimanager
7.0.0 — 7.0.15 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.10
fortinet
fortiproxy
7.0.0 — 7.0.22 · 7.2.0 — 7.2.15 · 7.4.0 — 7.4.12
fortinet
fortiweb
7.4.0 — 7.4.11 · 7.6.0 — 7.6.6 · 8.0.0 — 8.0.3
fortinet
fortios
7.0.0 — 7.0.18 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.11
siemens
ruggedcom ape1808 firmware
all versions

CVEs Like This One

CVE-2024-55591Same product: Fortinet Fortiosboth on KEV
CVE-2025-24472Same product: Fortinet Fortiosboth on KEV
CVE-2024-26009Same product: Fortinet Fortios
CVE-2025-59718Same product: Fortinet Fortiosboth on KEV
CVE-2024-45324Same product: Fortinet Fortios
CVE-2024-35279Same product: Fortinet Fortios
CVE-2025-53847Same product: Fortinet Fortios
CVE-2025-7775Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-3055Same product class: VPN / SSL gatewayboth on KEV

References