CVE-2026-24017 - Vulnerability Details

- Authentication Rate‑Limit Bypass via Improper Interaction Frequency Control

Description

An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.

Published: 2026-03-10

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper control of interaction frequency (CWE‑799) that allows a remote unauthenticated attacker to bypass FortiWeb’s authentication rate‑limit by sending crafted requests. Based on the description, it is inferred that the attacker could use this to perform credential guessing or brute‑force attacks, as the rate‑limit enforcement is weakened. This could lead to unauthorized access if the correct credentials are discovered.

Affected Systems

The issue affects Fortinet FortiWeb appliances running any of the following software versions: 8.0.0 through 8.0.2, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11.

Risk and Exploitability

The CVSS score is 7.3, indicating a high severity, while the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is remote and unauthenticated, with the only requirement being the ability to send crafted requests to the authentication endpoints; no privileged access or additional credentials are needed. Based on the description, it is inferred that the success of the attack depends on the attacker’s resources and the password target complexity. The vulnerability does not appear in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fortinet

FortiWeb

unaffected

Version	Status	Constraints
`8.0.0`	affected	≤ 8.0.2
`7.6.0`	affected	≤ 7.6.5
`7.4.0`	affected	≤ 7.4.10
`7.2.0`	affected	≤ 7.2.11
`7.0.0`	affected	≤ 7.0.11

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortiweb::::::::
	cpe:2.3:a:fortinet:fortiweb::::::::
	cpe:2.3:a:fortinet:fortiweb::::::::
	cpe:2.3:a:fortinet:fortiweb::::::::
	cpe:2.3:a:fortinet:fortiweb::::::::

No data.

Vendor Product Confidence Versions

Fortinet

Fortiweb

100%

Version	Status	Scheme	Platform
`[8.0.0,8.0.2]`	affected	semver	—
`[7.6.0,7.6.5]`	affected	semver	—
`[7.4.0,7.4.10]`	affected	semver	—
`[7.2.0,7.2.11]`	affected	semver	—
`[7.0.0,7.0.11]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to FortiWeb version 8.0.3 or above Upgrade to FortiWeb version 7.6.6 or above Upgrade to FortiWeb version 7.4.11 or above Upgrade to FortiWeb version 7.2.12 or above Upgrade to FortiWeb version 7.0.12 or above

OpenCVE Recommended Actions

Upgrade FortiWeb to version 8.0.3 or later. If maintaining an older branch, upgrade to the corresponding version (≥7.6.6, ≥7.4.11, ≥7.2.12, ≥7.0.12).
Verify that the authentication rate‑limit feature is enabled and properly configured to restrict repeated authentication attempts.
Deploy network or application firewall rules to limit the rate of incoming authentication requests to the FortiWeb appliance.

Generated by OpenCVE AI on April 16, 2026 at 09:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00143.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-26-082

History

Thu, 16 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		Authentication Rate‑Limit Bypass via Improper Interaction Frequency Control

Thu, 12 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:fortinet:fortiweb::::::::

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
First Time appeared		Fortinet Fortinet fortiweb
Weaknesses		CWE-799
CPEs		cpe:2.3:a:fortinet:fortiweb:7.0.0:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.10:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.11:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.1:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.2:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.3:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.4:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.5:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.6:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.7:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.8:::::::* cpe:2.3:a:fortinet:fortiweb:7.0.9:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.0:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.10:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.11:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.1:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.2:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.3:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.4:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.5:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.6:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.7:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.8:::::::* cpe:2.3:a:fortinet:fortiweb:7.2.9:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.0:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.10:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.1:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.2:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.3:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.4:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.5:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.6:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.7:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.8:::::::* cpe:2.3:a:fortinet:fortiweb:7.4.9:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.0:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.1:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.2:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.3:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.4:::::::* cpe:2.3:a:fortinet:fortiweb:7.6.5:::::::* cpe:2.3:a:fortinet:fortiweb:8.0.0:::::::* cpe:2.3:a:fortinet:fortiweb:8.0.1:::::::* cpe:2.3:a:fortinet:fortiweb:8.0.2:::::::*
Vendors & Products		Fortinet Fortinet fortiweb
References		https://fortiguard.fortinet.com/psirt/FG-IR-26-082
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}`

Subscriptions

Fortinet Fortiweb

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2026-03-10T16:44:19.746Z

Updated: 2026-03-11T03:56:50.059Z

Reserved: 2026-01-20T11:13:10.548Z

Link: CVE-2026-24017

Vulnrichment

Updated: 2026-03-10T17:34:25.434Z

NVD

Status : Analyzed

Published: 2026-03-10T18:18:17.400

Modified: 2026-03-12T17:10:26.443

Link: CVE-2026-24017

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses

CWE-799

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object