cbcvebase.
CVE-2026-24017
published 2026-03-10

CVE-2026-24017: An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5…

PriorityP262high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.76%
50.8th percentile
An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.

Affected

12 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortiweb
fortinetfortiweb>= 7.0.0 < 7.0.127.0.12
fortinetfortiweb7.0.0 – 7.0.11
fortinetfortiweb>= 7.2.0 < 7.2.127.2.12
fortinetfortiweb7.2.0 – 7.2.11
fortinetfortiweb>= 7.4.0 < 7.4.117.4.11
fortinetfortiweb7.4.0 – 7.4.10
fortinetfortiweb>= 7.6.0 < 7.6.67.6.6
fortinetfortiweb7.6.0 – 7.6.5
fortinetfortiweb>= 8.0.0 < 8.0.38.0.3
fortinetfortiweb8.0.0 – 8.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for high-frequency authentication attempts against FortiWeb admin login endpoints from a single remote unauthenticated source, which may indicate rate-limit bypass / brute-force activity exploiting CVE-2026-24017.
  • Alert on anomalous volumes of login requests to FortiWeb management interfaces from unauthenticated sources; the vulnerability (CWE-799 – Improper Control of Interaction Frequency) means the device's built-in rate-limiting can be bypassed via specially crafted requests.
  • ·All FortiWeb versions in the following ranges are affected and should be prioritised for patching: 8.0.0–8.0.2, 7.6.0–7.6.5, 7.4.0–7.4.10, 7.2.0–7.2.11, 7.0.0–7.0.11. Exploitation success is resource- and password-complexity-dependent, so strong/complex admin passwords reduce (but do not eliminate) risk.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.