A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention.

The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defect and released patches for affected versions of the library within two days.

Some researchers told CyberScoop they are concerned about the vulnerability — CVE-2026-29000 — because it affects a widely deployed Java security engine that attackers can exploit with relative ease.

“A threat actor only needs to access a server’s public RSA key to attempt exploitation,” researchers at Arctic Wolf Labs said in an email. 

These public keys, which are shared openly, are used to encrypt data and enable identity authentication. Attackers can trigger the defect and bypass authentication by forging a JSON Web Token (JWT) or deploy raw JSON claims via JSON Web Encryption (JWE) in pac4j-jwt to break into a system with the highest privileges.

“It is currently too early into the lifecycle of this vulnerability to tell if it will materialize into a major threat but the fact that it is a vulnerability in a library makes it more challenging to assess the potential risk,” researchers at Arctic Wolf Labs said. “Downstream consumers of the library may end up needing to issue their own advisories, as we’ve seen with other similar vulnerabilities in the past.”

Amartya Jha, co-founder and CEO at CodeAnt AI, warned that anyone with basic JWT knowledge can achieve exploitation. The vulnerability is a “logic flaw that no pattern-matching scanner or rule-based static application security testing tool would surface, because there’s no single line of code that’s wrong.”

The downstream security risk, as is often the case with open-source software, is widespread. The authentication module for pac4j is integrated into multiple frameworks, including Spring Security, Play Framework, Vert.x, Javalin and others, Jha said.

Many organizations may not realize they depend on pac4j-jwt because it’s not always declared in build files, he added. CodeAnt said it has contacted hundreds of maintainers in the past week to warn them that their packages and repositories are impacted by the vulnerability, which has a CVSS rating of 10.

Researchers haven’t observed any additional PoC exploit code, but they noted the exploit path is easy to reproduce. 

“The conditions for exploitation are favorable,” Jha said. “It’s pre-authentication, requires no secrets, the PoC is public, and the attack surface includes any internet-facing application or API gateway using the affected configuration. The window between public PoC and patch adoption is where the risk is highest.”

The post Critical defect in Java security engine poses serious downstream security risks appeared first on CyberScoop.

Fortinet customers are confronting another actively exploited zero-day vulnerability that allows attackers to bypass authentication in the single sign-on flow for FortiCloud and gain privileged access to multiple Fortinet firewall products and related services.

The vendor issued a security advisory for the vulnerability — CVE-2026-24858 — warning that some instances of exploitation already occurred earlier this month. Fortinet has yet to release patches to address the critical vulnerability across multiple versions of its products, including FortiAnalyzer, FortiManager, FortiOS, FortiProxy and FortiWeb.

Defects in Fortinet products are a recurring problem for the vendor’s customers and defenders, making 24 appearances on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. One-third of those vulnerabilities made the list last year and 13 are known to be used in ransomware campaigns.

The agency added the latest Fortinet defect, which has a CVSS rating of 9.8, to its known exploited vulnerabilities catalog Tuesday and shared Fortinet’s guidance in a subsequent alert Wednesday.

The vulnerability, which allows attackers with a FortiCloud account and a registered device to log into devices registered to other accounts, was exploited by two malicious FortiCloud accounts that Fortinet said it blocked Jan. 22. Attackers have reconfigured firewall settings on FortiGate devices, created unauthorized accounts and changed virtual private network configurations to gain access to new accounts.

The vendor said it disabled FortiCloud SSO Monday and re-enabled the service Tuesday with controls in place to prevent logins to devices running vulnerable software versions.

Fortinet’s advisory brings some clarity and raises new questions for defenders and researchers that have encountered problems on Fortinet devices since December. The vendor disclosed a pair of similar critical authentication bypass vulnerabilities Dec. 9, including CVE-2025-59718, which has also been actively exploited.

Arctic Wolf said it observed a new cluster of unauthorized firewall configuration changes on FortiGate devices Jan. 15 that bore similarities to previous attacks linked to CVE-2025-59718 in December. Fortinet hasn’t explained the extent to which the defects are related or if the new flaw represents a bypass of the previous patches, but it has confirmed that customers running versions released in December are vulnerable to CVE-2026-24858.

Fortinet did not respond to a request for comment. Carl Windsor, the company’s chief information security officer, shared recommended mitigation steps and indicators of compromise in a blog post.

Researchers have yet to determine how many customers are impacted by CVE-2026-24858 exploits, but the scope of potential victims is broad and global. Shadowserver scans show nearly 10,000 Fortinet instances with FortiCloud SSO enabled with roughly one-fourth of those based in the United States.

Ben Harris, founder and CEO at watchTowr, said the company’s exposure management platform is observing active probing for devices with FortiCloud SSO enabled, but the broader impact is still unknown. 

“There are those that know they’re affected, and likely a number that are unaware,” he told CyberScoop. “Regardless, those that keep a bingo card for ‘yet another year of depressingly predictable vulnerabilities’ have likely crossed off ‘full authentication bypass against a management interface’ already in 2026.”

Arctic Wolf researchers said they haven’t seen evidence of new exploitation since Jan. 21, adding that attacks appear to be limited to instances where management interfaces of vulnerable devices were publicly exposed to the internet. 

Vulnerabilities in network devices from multiple vendors have been exploited for initial access at a high rate, especially in ransomware attacks, researchers at Arctic Wolf said. “While it is vitally important to keep up to date on firmware updates, security best practices should be followed to limit the potential impact of this vulnerability and similar flaws in the future.”

While defenders have grown accustomed to a steady amount of Fortinet vulnerabilities, that experience has fueled a mounting sense of frustration. 

Joe Toomey, vice president of underwriting security at Coalition took to LinkedIn Wednesday to criticize Fortinet’s inability to thwart or reduce the number of actively exploited vulnerabilities affecting its products.

Fortinet’s latest defect marks the 14th time Coalition has sent zero-day advisories about critical Fortinet vulnerabilities to its policyholders in less than four years. Fortinet products account for more than 7% of the collective 180 zero-day advisories Coalition sent to policyholders since 2023, Toomey said in his blog post.

“All of which makes one begin to wonder if Fortinet is really taking security seriously,” he added.

Harris commended Fortinet for its transparency, adding that the vendor has clearly outlined its response and actions taken to address the vulnerability, some of which remains unfinished. 

Yet, he added: “As we’ve seen now for years, Fortinet and the ‘Fast & Furious’ franchise are apparently competing for the amount of sagas we can fit into one year. It’s unclear who will win.”

The post Fortinet’s latest zero-day vulnerability carries frustrating familiarities for customers appeared first on CyberScoop.