TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2026-24858

CRITICALCISA KEV
9.8

Beschreibung

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

CVE Details

CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht1/27/2026
Zuletzt geandert1/29/2026
Quellekev
Honeypot-Sichtungen0

CISA KEV

HerstellerFortinet
ProduktMultiple Products
SchwachstellennameFortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability
KEV Aufnahmedatum2026-01-27
Behebungsfrist2026-01-30
Ransomware-NutzungUnknown

Betroffene Produkte

fortinet:fortianalyzerfortinet:fortimanagerfortinet:fortiosfortinet:fortiproxyfortinet:fortiweb

Schwachen (CWE)

CWE-288

Referenzen

https://fortiguard.fortinet.com/psirt/FG-IR-26-060(psirt@fortinet.com)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.