FortiMail - Login mechanism without rate limitation


An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.

Version Affected Solution
FortiMail 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiMail 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiMail 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
FortiMail 6.4 6.4.0 through 6.4.8 Upgrade to 6.4.9 or above
FortiMail 6.2 6.2 all versions Migrate to a fixed release


Fortinet is pleased to thank the customer who reported this vulnerability under responsible disclosure.


2023-11-13: Initial publication