TROYANOSYVIRUS
Volver a CVEs

CVE-2026-24858

CRITICALCISA KEV
9.8

Descripcion

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Detalles CVE

Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado1/27/2026
Ultima modificacion1/29/2026
Fuentekev
Avistamientos honeypot0

CISA KEV

VendedorFortinet
ProductoMultiple Products
Nombre vulnerabilidadFortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability
Fecha inclusion KEV2026-01-27
Fecha limite remediacion2026-01-30
Uso en ransomwareUnknown

Productos afectados

fortinet:fortianalyzerfortinet:fortimanagerfortinet:fortiosfortinet:fortiproxyfortinet:fortiweb

Debilidades (CWE)

CWE-288

Referencias

https://fortiguard.fortinet.com/psirt/FG-IR-26-060(psirt@fortinet.com)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.