Archiv für Februar 2026

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

• CVE-2019-19006 Sangoma FreePBX Improper Authentication Vulnerability
• CVE-2021-39935 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
• CVE-2025-40551 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
• CVE-2025-64328 Sangoma FreePBX OS Command Injection Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2026-1281 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.¹

Users are vulnerable to CVE-2026-24858 even if they updated Fortinet devices to address previously disclosed FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 [CWE-347: Improper Verification of Cryptographic Signature].² CVE-2025-59718 and CVE-2025-59719 affect FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.³  On Fortinet devices that had been fully upgraded to the latest release addressing CVE-2025-59718 and CVE-2025-59719 at the time of CVE-2026-24858 exploitation, Fortinet observed the following malicious activity:

• Unauthorized firewall configuration changes on FortiGate devices.
• Unauthorized creation of accounts.
• Unauthorized configuration changes of virtual private networks (VPNs) to grant access to new accounts.⁴ 

According to Fortinet, on Jan. 26, 2026, Fortinet disabled all FortiCloud SSO authentication to mitigate CVE-2026-24858, then reinstated the service on Jan. 27, 2026, with changes to prevent exploitation of vulnerable devices.  

CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog on Jan. 27, 2026.

CISA urges users to check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet’s instructions:

• Administrative FortiCloud SSO authentication bypass
• Analysis of Single Sign-On Abuse on FortiOS

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

Notes

1. Fortinet, “Administrative FortiCloud SSO Authentication Bypass,” FortiGuard Labs, last modified January 27, 2026, https://fortiguard.fortinet.com/psirt/FG-IR-26-060.
2. Fortinet, “Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass,” FortiGuard Labs, last modified December 9, 2025, https://fortiguard.fortinet.com/psirt/FG-IR-25-647.
3. Carl Windsor, “Analysis of Single Sign-On Abuse on FortiOS,” PSIRT Blogs (blog), Fortinet, last modified January 22, 2026, https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios.
4. Arctic Wolf Labs, “Arctic Wolf Observes Malicious Configuration Changes on Fortinet FortiGate Devices via SSO Accounts,” Arctic Wolf Blog (blog), Arctic Wolf, last modified January 21, 2026, https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/.