Cyber Resilience

CVE-2026-24858

CriticalCISA KEVActive ExploitationEUVD ExploitedUpdated

Published: 27 January 2026

Published
27 January 2026
Modified
09 June 2026
KEV Added
27 January 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8584 99.7th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-24858 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Fortinet Fortianalyzer. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-24858 is an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products when FortiCloud SSO authentication is enabled. Impacted versions include FortiAnalyzer 7.0.0–7.0.15, 7.2.0–7.2.11, 7.4.0–7.4.9 and 7.6.0–7.6.5; FortiManager in the same ranges; FortiNAC-F 7.6.3–7.6.5; FortiOS 7.0.0–7.0.18, 7.2.0–7.2.12, 7.4.0–7.4.10 and 7.6.0–7.6.5; FortiProxy 7.0.0–7.0.22, 7.2.0–7.2.15, 7.4.0–7.4.12 and 7.6.0–7.6.4; and FortiWeb 7.4.0–7.4.11, 7.6.0–7.6.6 and 8.0.0–8.0.3. The flaw permits an attacker to authenticate to devices they do not own by leveraging an alternate path through FortiCloud SSO.

An attacker who possesses a valid FortiCloud account and at least one registered device can exploit the issue to obtain administrative access to other organizations’ devices that also have FortiCloud SSO enabled. Successful exploitation grants full control equivalent to a legitimate administrator, including the ability to read, modify or delete configuration and data on the affected appliances. The vulnerability carries a CVSS 3.1 score of 9.8.

Fortinet advisory FG-IR-26-060 and the associated analysis blog describe the root cause and recommend immediate upgrade to the fixed releases listed in the bulletin; organizations that cannot patch promptly are advised to disable FortiCloud SSO authentication. The issue also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

EPSS for the CVE rose sharply from a low baseline to a peak of 0.1645 on 28 January 2026 before receding to the current value of 0.0480, indicating a clear post-disclosure increase in exploitation interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0…

more

through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

CWE(s)
KEV Date Added
27 January 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-24858 is an authentication bypass in public-facing Fortinet management and security products (e.g., FortiOS, FortiWeb), enabling unauthenticated remote exploitation for unauthorized access, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55591Same product: Fortinet Fortiosboth on KEV
CVE-2025-24472Same product: Fortinet Fortiosboth on KEV
CVE-2025-59718Same product: Fortinet Fortiosboth on KEV
CVE-2024-26009Same product: Fortinet Fortios
CVE-2024-45324Same product: Fortinet Fortios
CVE-2023-25610Same product: Fortinet Fortianalyzer
CVE-2025-53847Same product: Fortinet Fortios
CVE-2026-3055Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-7775Same product class: VPN / SSL gatewayboth on KEV
CVE-2024-35279Same product: Fortinet Fortios

Affected Assets

fortinet
fortianalyzer
7.0.0 — 7.0.15 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.10
fortinet
fortimanager
7.0.0 — 7.0.15 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.10
fortinet
fortinac-f
7.6.3 — 7.6.6
fortinet
fortiproxy
7.0.0 — 7.0.22 · 7.2.0 — 7.2.15 · 7.4.0 — 7.4.12
fortinet
fortiweb
7.4.0 — 7.4.11 · 7.6.0 — 7.6.6 · 8.0.0 — 8.0.3
fortinet
fortios
7.0.0 — 7.0.18 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.11
siemens
ruggedcom ape1808 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authenticated access decisions so that a FortiCloud SSO token from one account cannot be used to reach devices registered to another account.

prevent

Requires verified identification and authentication of organizational users before granting session access, blocking the alternate-path bypass described in CWE-288.

prevent

Governs the integration and trust decisions made with external identity providers such as FortiCloud SSO, directly addressing the flawed SSO path that enables cross-account login.

References