CVE-2026-24858

Known Exploited Vulnerability Entry External Catalog

Back to Catalog View Vulnerability

Entry Details

Vulnerability ID

CVE-2026-24858

Status

Confirmed

Exploited

Yes

Status Updated At

2026-01-27 00:00 UTC

Timestamps

First Seen At

2026-01-27

Asserted At

2026-01-27

Scope

Notes

KEV entry: Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability | Affected: Fortinet / Multiple Products | Description: Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-01-30 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as they become available. For more information please see: https://fortiguard.fortinet.com/psirt/FG-IR-26-060 ; https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios ; https://nvd.nist.gov/vuln/detail/CVE-2026-24858

References

{'id': 'CVE-2026-24858', 'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-24858'}

Entry UUID

420c26f0-ae54-4a16-acae-167c5942a595

Catalog Origin UUID

405284c2-e461-4670-8979-7fd2c9755a60

Created

2026-02-02 13:24 UTC

Last Updated

2026-02-06 07:53 UTC

Evidence (1)

Type Source Signal Confidence Details GCVE Metadata

Type	Source	Signal	Confidence	Details	GCVE Metadata
vendor_report	cisa-kev	successful_exploitation	0.80	View details `{ "cwes": [ "CWE-288" ], "date_added": "2026-01-27", "due_date": "2026-01-30", "feed": "CISA Known Exploited Vulnerabilities Catalog", "knownRansomwareCampaignUse": "Unknown", "product": "Multiple Products", "vendorProject": "Fortinet", "vulnerabilityName": "Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability" }`	-

vendor_report

cisa-kev

successful_exploitation

0.80

View details

{
  "cwes": [
    "CWE-288"
  ],
  "date_added": "2026-01-27",
  "due_date": "2026-01-30",
  "feed": "CISA Known Exploited Vulnerabilities Catalog",
  "knownRansomwareCampaignUse": "Unknown",
  "product": "Multiple Products",
  "vendorProject": "Fortinet",
  "vulnerabilityName": "Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability"
}

Export Options

JSON Object JSON API View Full Catalog