Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.
Users are vulnerable to CVE-2026-24858 even if they updated Fortinet devices to address previously disclosed FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 [CWE-347: Improper Verification of Cryptographic Signature]. CVE-2025-59718 and CVE-2025-59719 affect FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.
Read more…
Source: U.S. Cybersecurity and Infrastructure Security Agency
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Update WhatsApp now: Two new flaws could expose you to malicious files
May 5, 2026
Meta has published a new security advisory for messaging app WhatsApp, announcing patches for two vulnerabilities. WhatsApp has fixed two security flaws that could be abused to interfere with how media and attachments are handled on your device. There is no evidence that either bug has been exploited in the wild. These bugs don’t automatically infect ...
- Children say they can beat age checks by drawing on a fake mustache
May 4, 2026
It’s been months since the UK government began requiring stronger age checks under the Online Safety Act, and recent research suggests those measures are falling short of keeping kids away from harmful content. In some cases, even drawing on a mustache has been reported as enough to fool age detection software. Like keeping booze away from ...
- ASD: Careful Adoption of Agentic AI Services
May 1, 2026
Agentic artificial intelligence (AI) systems increasingly operate across critical infrastructure and defence sectors and support mission-critical capabilities. As agentic AI systems play a growing operational role, it is crucial for defenders to implement security controls to protect national security and critical infrastructure from agentic AI-specific risks. Agentic AI can automate repetitive, well-defined and low-risk tasks. However, ...
- Copy Fail vulnerability allows attackers to gain root access on virtually any modern Linux distribution
April 30, 2026
A working exploit written in Python (later released in other programming languages as well) consists of about ten lines of code and uses standard system calls that are indistinguishable from normal system activity. Kaspersky explain what the CVE-2026-31431 vulnerability, unofficially named as Copy Fail and published on April 29, is. Kaspersky also have some advice on ...
- Nasty cPanel vulnerability probably exploited as a 0-day
April 30, 2026
Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it. Given that cPanel and WebHost Manager (WHM) control panel help manage properties for 70 million domains, by some estimates, and the critical severity of CVE-2026-41940 (9.8), the vulnerability is ...
- CISA flags data-theft bug in NSA-built OT networking tool
April 29, 2026
The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information. First reported by Grady DeRosa, senior industrial pentester at Dragos, the weak spot affects all versions of GrassMarlin, a tool developed ...