Fortinet Discloses Authentication Rate-Limit Bypass in FortiWeb Allowing Brute-Force Attacks
Fortinet disclosed an improper control of interaction frequency vulnerability in FortiWeb that allows remote unauthenticated attackers to bypass authentication rate-limiting and brute-force admin logins.
Fortinet has disclosed a vulnerability in its FortiWeb web application firewall that could allow remote unauthenticated attackers to bypass authentication rate-limiting and perform brute-force attacks on admin logins. Tracked as FG-IR-26-082, the flaw is classified as an Improper Control of Interaction Frequency (CWE-799) issue with a CVSSv3 score of 7.3, indicating high severity.
The vulnerability stems from insufficient enforcement of rate limits on authentication attempts. By sending crafted requests, an attacker can circumvent the intended throttling mechanism, enabling repeated login attempts without triggering lockouts or delays. The success of such brute-force attacks depends on the attacker's computational resources and the complexity of the target password, but in practice, weak or default credentials could be compromised relatively quickly.
FortiWeb is a widely deployed web application firewall used to protect web applications from various attacks. The affected versions span multiple release branches: FortiWeb 8.0.0 through 8.0.2, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. Fortinet has released patches for each branch, with upgrades to 8.0.3, 7.6.6, 7.4.11, 7.2.12, and 7.0.12 respectively. Notably, FortiAppSec Cloud is not impacted by this issue.
The vulnerability was internally discovered and reported by Yanmin Ji of Fortinet's Development team. No evidence of active exploitation has been reported at the time of disclosure, but given the nature of the flaw—enabling brute-force attacks—administrators are urged to apply patches promptly. Brute-force attacks are a common vector for gaining unauthorized access, especially when combined with credential stuffing or weak password policies.
This disclosure follows a series of Fortinet advisories addressing critical vulnerabilities in other products, including FortiSandbox and FortiAuthenticator. The company continues to emphasize the importance of timely patching and recommends enabling multi-factor authentication where possible to mitigate the risk of brute-force attacks. Organizations using FortiWeb should review their deployment versions and apply the appropriate updates to prevent potential compromise.