CVE-2021-26091

CWE-3384 documents4 sources

Severity

7.5HIGH

EPSS

0.1%

top 64.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortimail

Timeline

PublishedMar 24

Description

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5fortinet/fortimail6.2.0 — 6.2.*+2

▶NVDfortinet/fortimail6.2.0 — 6.4.5

🔴Vulnerability Details

GHSA

GHSA-pmxq-4hqc-9hr4: A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiM↗2025-03-24

▶

CVEList

CVE-2021-26091: A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiM↗2025-03-24

▶

📋Vendor Advisories

Fortinet

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Base...↗2025-03-24

▶