CVE-2026-24858
Published: 27 January 2026
Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0…
more
through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass by requiring timely remediation of the specific flaw through application of Fortinet vendor patches.
Manages risks associated with external identity providers like FortiCloud by requiring agreements, token validation, and monitoring to prevent cross-account SSO abuse.
Enforces identification and authentication requirements for non-organizational users accessing via FortiCloud SSO, reducing the risk of unauthorized access to registered devices.
Security SummaryAI
CVE-2026-24858 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) affecting multiple Fortinet products when FortiCloud SSO authentication is enabled. The impacted components include FortiAnalyzer versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15; FortiManager versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.15; FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18; FortiProxy versions 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2.0 through 7.2.15, and 7.0.0 through 7.0.22; and FortiWeb versions 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, and 7.4.0 through 7.4.11. Published on January 27, 2026, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated attacker over the network with low complexity requirements can exploit this vulnerability if they possess a FortiCloud account and a device registered to that account. Successful exploitation enables the attacker to log into other devices registered to different FortiCloud accounts, bypassing authentication controls and gaining unauthorized access to those systems.
Fortinet's PSIRT advisory (FG-IR-26-060) at https://fortiguard.fortinet.com/psirt/FG-IR-26-060 provides details on patches and mitigations. Additional guidance appears in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858 and Fortinet's blog analysis of SSO abuse on FortiOS at https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios.
The vulnerability's inclusion in CISA's Known Exploited Vulnerabilities catalog indicates active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 27 January 2026
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-24858 is an authentication bypass in public-facing Fortinet management and security products (e.g., FortiOS, FortiWeb), enabling unauthenticated remote exploitation for unauthorized access, directly mapping to Exploit Public-Facing Application.