CVE-2026-24858 (Critical, auth bypass via FortiCloud SSO alternate path/channel; CWE-288): Attacker with any FortiCloud account could access other customers’ devices if SSO enabled (not default but common post-registration). Exploited in the wild pre-disclosure (malicious accounts locked Jan 22, 2026). Advisory published January 27, 2026. Fortinet mitigated on cloud side (disabled/re-enabled SSO without vulnerable device support by Jan 26–27). Client-side patches released with advisory (e.g., FortiOS 7.6.6 / 7.4.11 / 7.2.13 / 7.0.19; similar for other products). Vulnerability window post-announcement: ~0 days for patches (advisory included fixed versions); cloud mitigation protected customers even earlier. Workaround: disable FortiCloud SSO. Indicators of compromise published.

CVE-2025-25249 (CVSS 7.3, High): Heap buffer overflow RCE in FortiOS/FortiSwitchManager (CAPWAP daemon). Announced January 13, 2026; patched same day (0-day window). Lingering issues: CVE-2025-59718/59719 (Dec 2025 auth bypass, exploited in wild) saw reports of incomplete fixes persisting into January 2026, requiring newer builds.