HOMEVULNERABILITIESCVE-2026-24858
CRITICALCISA KEVIN THE WILD

CVE-2026-24858

Published: January 27, 2026

9.8
CVSS v3.1
EPSS:2.42%probability of exploitation in 30 daysPercentile:84.9th

Official Description

Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

NVD Source

CISA KEV Advisory

Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability

Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Added to KEV: 2026-01-27Federal patch deadline: 2026-01-30
Required Action (CISA)

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Risk Analysis

This critical vulnerability in Fortinet products allows an attacker with a FortiCloud account and a registered device to bypass authentication and log into other devices registered to different accounts, provided FortiCloud SSO is enabled. Its CVSS score of 9.8 and confirmed exploitation in the wild highlight the severe risk of unauthorized access.

This vulnerability is actively being exploited in the wild and is included in CISA's KEV catalog. It is remotely exploitable with low attack complexity.

Recommended Action

Disable FortiCloud SSO authentication if not strictly necessary, and apply all vendor-provided patches for Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2026-24858 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.8.

CISA has added CVE-2026-24858 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Fortinet
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-24858

Siemens RUGGEDCOM APE1808 Devices
CISA Alerts· Mar 12, 2026

View CSAF Summary Fortinet has published information on vulnerabilities in FORTIOS. This advisory lists the related Siemens Industrial products. Siemens has released a new version for RUGGEDCOM APE1808 and recommends to update to the latest version. The following versions of Siemens RUGGEDCOM APE1808 Devices are affected: RUGGEDCOM APE1808 vers:all/*, vers:all/* (CVE-2026-24858, CVE-2025-55018, CVE-2025-62439, CVE-2025-64157) CVSS Vendor Equipment Vulnerabilities v3 9.8 Siemens Siemens RUGGEDCOM APE1808 Devices Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Improper Verification of Source of a Communication Channel, Use of Externally-Controlled Format String, Authentication Bypass Using an Alternate Path or Channel [xlite_meta score:73 src:CISA Alerts xlite_fp:b9220c4bab7ee5932dbbf3e739a11368c0838b3e9fa506c4ec7c77ccd726205c]

All References (2)

Quick Facts

CVE IDCVE-2026-24858
CVSS Score9.8 / 10
SeverityCRITICAL
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)2.42%
PublishedJan 27, 2026

Known Threat Actors

core
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-24858 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.