Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.
Users are vulnerable to CVE-2026-24858 even if they updated Fortinet devices to address previously disclosed FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 [CWE-347: Improper Verification of Cryptographic Signature]. CVE-2025-59718 and CVE-2025-59719 affect FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.
Read more…
Source: U.S. Cybersecurity and Infrastructure Security Agency
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Palo Alto Releases Critical Security Bulletin for Firewall Devices
November 18, 2024
Palo Alto has issued a critical severity security bulletin for an unauthenticated remote command execution vulnerability affecting the management interface for firewall devices. The vulnerability is still under investigation by Palo Alto but has not yet received a CVE designation. Palo Alto has tentatively given the vulnerability an initial CVSSv4 score of 9.3. However, if access ...
- Don’t Hold Down The Ctrl Key – New Warning As Cyber Attacks Confirmed
November 18, 2024
Just as security professionals will tell you that layered defensive strategies are the best when it comes to staving off successful attacks, so attackers will often look to precisely the same when executing their cyber attacks. Two-step phishing attacks have, in the words of security researchers from Perception Point, “become a cornerstone of modern cybercrime,” leveraging ...
- Ivanti Releases Security Updates for Multiple Products
November 14, 2024
Ivanti has released the following three security advisories addressing vulnerabilities in multiple products. Security Advisory Ivanti Avalanche (Multiple CVEs) – Q4 2024 Release Ivanti Avalanche is a mobile device management solution and is used to remotely manage, deploy software, and schedule updates for enterprise mobile devices. Successful exploitation of five of the vulnerabilities could lead to ...
- Microsoft Releases November 2024 Security Updates
November 13, 2024
Microsoft has released security updates to address 89 vulnerabilities in Microsoft products. The security updates include four critical vulnerabilities, two vulnerabilities that are under zero-day exploitation, and four vulnerabilities that are publicly disclosed. Vulnerability details CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2024-43451 is an ‘external control of file name or path’ vulnerability in Windows and Windows ...
- Fortinet Releases Multiple Security Advisories
November 13, 2024
Fortinet has released 18 security advisories to address a range of security vulnerabilities in multiple products. Three of the advisories address two high severity vulnerabilities in FortiClient for Windows and one high severity vulnerability in FortiOS affecting SSLVPN sessions. FortiClient and FortiOS provide an endpoint detection and response (EDR) solution, a virtual private network (VPN) solution, ...
- FBI: 2023 Top Routinely Exploited Vulnerabilities
November 12, 2024
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities ...