CVE-2026-24858
Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
18cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*range: >=7.0.0,<=7.0.15
- cpe:2.3:o:fortinet:fortianalyzer:7.6.5:*:*:*:*:*:*:*range: 7.6.0
- (no CPE)range: 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*range: >=7.0.0,<=7.0.15
- cpe:2.3:o:fortinet:fortimanager:7.6.5:*:*:*:*:*:*:*range: 7.6.0
- (no CPE)range: 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15
cpe:2.3:a:fortinet:fortinac-f:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:fortinet:fortinac-f:*:*:*:*:*:*:*:*range: >=7.6.3,<7.6.6
- (no CPE)range: 7.6.3 through 7.6.5
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*range: >=7.0.0,<=7.0.22
- cpe:2.3:a:fortinet:fortiproxy:7.6.4:*:*:*:*:*:*:*range: 7.6.0
- (no CPE)range: 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2.0 through 7.2.15, 7.0.0 through 7.0.22
- cpe:2.3:o:siemens:ruggedcom_ape1808_firmware:-:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
4- cert-portal.siemens.com/productcert/html/ssa-975644.htmlnvdThird Party Advisory
- fortiguard.fortinet.com/psirt/FG-IR-26-060nvdVendor Advisory
- www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortiosnvdMitigationVendor Advisory
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
3- No Zero-Day Tied to 80,000 Harvested Fortinet CredentialsGovInfoSecurity · Jun 22, 2026
- ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and MoreThe Hacker News · Jun 22, 2026
- Fortinet Responds to FortiBleed CampaignSecurityWeek · Jun 22, 2026