CVE-2026-24858
KEVObejście uwierzytelnienia w Fortinet FortiAnalyzer umożliwia dostęp do obcych urządzeń.
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 55.1% |
| Opublikowano (NVD) | 2026-01-27 20:16:24 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-17 10:23:43 UTC |
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060 (psirt@fortinet.com) [Vendor Advisory]
- https://cert-portal.siemens.com/productcert/html/ssa-975644.html (0b142b55-0307-4c5a-b3c9-f314f3fb7c5e) [Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios (134c704f-9b21-4f2e-91b3-4a467353bcc0) [Mitigation, Vendor Advisory]