CVE-2026-24017
published 2026-03-10CVE-2026-24017: An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5…
PriorityP262high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.76%
50.8th percentile
An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 7.0.0 < 7.0.12 | 7.0.12 |
| fortinet | fortiweb | 7.0.0 – 7.0.11 | — |
| fortinet | fortiweb | >= 7.2.0 < 7.2.12 | 7.2.12 |
| fortinet | fortiweb | 7.2.0 – 7.2.11 | — |
| fortinet | fortiweb | >= 7.4.0 < 7.4.11 | 7.4.11 |
| fortinet | fortiweb | 7.4.0 – 7.4.10 | — |
| fortinet | fortiweb | >= 7.6.0 < 7.6.6 | 7.6.6 |
| fortinet | fortiweb | 7.6.0 – 7.6.5 | — |
| fortinet | fortiweb | >= 8.0.0 < 8.0.3 | 8.0.3 |
| fortinet | fortiweb | 8.0.0 – 8.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for high-frequency authentication attempts against FortiWeb admin login endpoints from a single remote unauthenticated source, which may indicate rate-limit bypass / brute-force activity exploiting CVE-2026-24017. ↗
- →Alert on anomalous volumes of login requests to FortiWeb management interfaces from unauthenticated sources; the vulnerability (CWE-799 – Improper Control of Interaction Frequency) means the device's built-in rate-limiting can be bypassed via specially crafted requests. ↗
- ·All FortiWeb versions in the following ranges are affected and should be prioritised for patching: 8.0.0–8.0.2, 7.6.0–7.6.5, 7.4.0–7.4.10, 7.2.0–7.2.11, 7.0.0–7.0.11. Exploitation success is resource- and password-complexity-dependent, so strong/complex admin passwords reduce (but do not eliminate) risk. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-76jh-wm3g-gchp: An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8
ghsa_unreviewed·2026-03-10
CVE-2026-24017 [HIGH] CWE-799 GHSA-76jh-wm3g-gchp: An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8
An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
Fortinet
Authentication rate-limit bypass permits to brute force admin logins
vendor_fortinet·2026-03-10·CVSS 8.1
CVE-2026-24017 [HIGH] CWE-799 Authentication rate-limit bypass permits to brute force admin logins
FG-IR-26-082: Authentication rate-limit bypass permits to brute force admin logins
An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
CVEs: CVE-2026-24017
CWEs: CWE-799
CVSS: 8.1 (high)
Affected products: FortiWeb, Fortinet
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-24017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-24017 [HIGH] CVE-2026-24017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24017 :
Fortinet FortiWeb vulnerability analysis and mitigation
An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
Source : NVD
## 8.1
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-24640 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-24640 [HIGH] CVE-2026-24640 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24640 :
Fortinet FortiWeb vulnerability analysis and mitigation
A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0.2 through 7.0.12 may allow a remote authenticated attacker who can bypass stack protection and ASLR to execute arbitrary code or commands via crafted HTTP requests.
Source : NVD
## 6.6
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
c
Wiz
CVE-2025-66178 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-66178 [HIGH] CVE-2025-66178 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66178 :
Fortinet FortiWeb vulnerability analysis and mitigation
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2.0 through 7.2.12, FortiWeb 7.0.0 through 7.0.12 may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request.
Source : NVD
## 7.2
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
c
Wiz
CVE-2025-48840 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-48840 [MEDIUM] CVE-2025-48840 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-48840 :
Fortinet FortiWeb vulnerability analysis and mitigation
An authentication bypass by spoofing vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.8, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow a remote unauthenticated attacker to bypass hostname restrictions via a specially crafted request.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:fortinet:fortiweb
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 10, 20
Wiz
CVE-2025-64471 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-64471 [MEDIUM] CVE-2025-64471 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64471 :
Fortinet FortiWeb vulnerability analysis and mitigation
A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 4.9
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packag
Wiz
CVE-2025-59719 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-59719 [CRITICAL] CVE-2025-59719 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59719 :
Fortinet FortiWeb vulnerability analysis and mitigation
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Fortinet FortiWeb
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:fortinet:fortiweb
Sources
Linux Severity CRITICAL Has Fix Added at: Dec 10, 20
Wiz
CVE-2026-30897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-30897 [HIGH] CVE-2026-30897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30897 :
Fortinet FortiWeb vulnerability analysis and mitigation
A stack-based buffer overflow vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow a remote authenticated attacker who can bypass stack protection and ASLR to execute arbitrary code or commands via crafted HTTP requests.
Source : NVD
## 6.6
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:fortinet:fortiw
Wiz
CVE-2025-64447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-64447 [HIGH] CVE-2025-64447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64447 :
Fortinet FortiWeb vulnerability analysis and mitigation
A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number.
Source : NVD
## 8.1
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.8
Exploi
Wiz
CVE-2026-24641 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-24641 [HIGH] CVE-2026-24641 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24641 :
Fortinet FortiWeb vulnerability analysis and mitigation
A NULL Pointer Dereference vulnerability [CWE-476] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker to crash the HTTP daemon via crafted HTTP requests.
Source : NVD
## 6.5
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 2.7
Affected Technologies
Fortinet FortiWeb
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:fortinet:fortiweb
Sources
Linux Severity MEDIUM Has Fix
2026-03-10
Published