FortiMail - Login mechanism without rate limitation


An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.
Version Affected Solution
FortiMail 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiMail 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiMail 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
FortiMail 6.4 6.4.0 through 6.4.8 Upgrade to 6.4.9 or above
FortiMail 6.2 6.2 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at:


Fortinet is pleased to thank the customer who reported this vulnerability under responsible disclosure.


2023-11-13: Initial publication