FortiMail - Login mechanism without rate limitation

Summary

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.

Version Affected Solution
FortiMail 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiMail 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiMail 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
FortiMail 6.4 6.4.0 through 6.4.8 Upgrade to 6.4.9 or above
FortiMail 6.2 6.2 all versions Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thank the customer who reported this vulnerability under responsible disclosure.

Timeline

2023-11-13: Initial publication