Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.
Users are vulnerable to CVE-2026-24858 even if they updated Fortinet devices to address previously disclosed FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 [CWE-347: Improper Verification of Cryptographic Signature]. CVE-2025-59718 and CVE-2025-59719 affect FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.
Read more…
Source: U.S. Cybersecurity and Infrastructure Security Agency
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Vanta bug exposed customers’ data to other customers
June 2, 2025
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. Vanta, which helps corporate customers automate their security and compliance processes, said it ...
- Exploits and vulnerabilities in Q1 2025
May 30, 2025
The first quarter of 2025, like previous ones, demonstrates a significant number of newly documented vulnerabilities. The trend largely mirrors previous years, so we will focus on new data that can be collected for the most popular platforms. This report examines the characteristics of vulnerabilities in the Linux operating system and Microsoft software, specifically the Windows ...
- Santesoft Releases Security Update for Sante DICOM Viewer Pro
May 30, 2025
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS) Medical Advisory for a vulnerability in Santesoft Sante DICOM Viewer Pro. Sante DICOM Viewer Pro is an application for viewing, processing, and editing DICOM-format medical images. CVE-2025-5307 has a CVSSv4 score of 8.4 and is an ‘out-of-bounds read’ vulnerability, which means ...
- A third of UK fintechs put customers data at risk of cyber attack
May 29, 2025
UK fintechs are putting thousands of customers in jeopardy by leaving themselves vulnerable to a cyber attack, shocking new research reveals. Nearly 800 firms’ digital presence was analysed by the ethical hacking platform Ethiack as it scrutinised their cybersecurity. Four in ten fintechs were found to be giving hackers a “powerful headstart” by revealing software details ...
- Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
May 29, 2025
Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). GTIG researchers divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and ...
- UK: NHS patient data at risk in major cyber attack
May 28, 2025
A newly uncovered cyber attack has exposed sensitive information at two major NHS trusts, raising fears that patient records could be at risk. University College London hospitals, NHS Foundation Trust, and University Hospital Southampton, NHS Foundation Trust were among the victims identified in a widespread cyber breach. analysed by cybersecurity firm EclecticIQ. The company have said ...