CVE-2026-24017

EUVD-2026-10520

10.03.2026, 18:18

An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
fortinet	CNA	7.3 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
fortinet	fortiweb	7.0.0 ≤ 𝑥 < 7.0.12
fortinet	fortiweb	7.2.0 ≤ 𝑥 < 7.2.12
fortinet	fortiweb	7.4.0 ≤ 𝑥 < 7.4.11
fortinet	fortiweb	7.6.0 ≤ 𝑥 < 7.6.6
fortinet	fortiweb	8.0.0 ≤ 𝑥 < 8.0.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-799 - Improper Control of Interaction Frequency
The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

Vulnerability Media Exposure

[GERMAN] Fortinet: Hochriskante Lücken in FortiWeb, FortiManager und weiteren
Fortinet schließt Lücken in FortiWeb oder FortiManager, die etwa Einschleusen von Befehlen erlauben. FortiGate-Firewalls wurden attackiert.
Published: 2026-03-11T11:47:00+00:00

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-082