What is CVE-2026-24858?

CVE-2026-24858 is a critical-severity vulnerability in Fortinet Fortianalyzer, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 9.8/10. Published 2026-01-27.

How severe is CVE-2026-24858?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2026-24858 known to be exploited?

Yes. CVE-2026-24858 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-01-27), indicating it is being actively exploited.

Vulnerability in Fortinet Fortianalyzer

CVE-2026-24858

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 thr…

EPSS: 0.039 (88.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Fortinet Fortianalyzer — versions 7.6.0, 7.4.0, 7.2.0
Fortinet Fortimanager — versions 7.6.0, 7.4.0, 7.2.0
Fortinet Fortios — versions 7.6.0, 7.4.0, 7.2.0
Fortinet Fortiproxy — versions 7.6.0, 7.4.0, 7.2.0
Fortinet Fortiweb — versions 8.0.0, 7.6.0, 7.4.0
Siemens Ruggedcom_ape1808
Siemens Ruggedcom_ape1808_firmware

Weakness classification (CWE)

CWE-288 — Authentication Bypass Using an Alternate Path or Channel

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2026-01-27. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2026-01-30.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

psirt@fortinet.com (Vendor Advisory)
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e (Third Party Advisory)
134c704f-9b21-4f2e-91b3-4a467353bcc0 (US Government Resource)
134c704f-9b21-4f2e-91b3-4a467353bcc0 (Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-24858?: CVE-2026-24858 is a critical-severity vulnerability in Fortinet Fortianalyzer, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 9.8/10. Published 2026-01-27.
How severe is CVE-2026-24858?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2026-24858 known to be exploited?: Yes. CVE-2026-24858 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-01-27), indicating it is being actively exploited.