Cyber Resilience

CVE-2024-23106

High

Published: 14 January 2025

Published
14 January 2025
Modified
16 July 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0134 80.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23106 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Fortinet Forticlientems. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-23106 is an improper restriction of excessive authentication attempts vulnerability (CWE-307) in FortiClientEMS versions 7.2.0 through 7.2.4 and before 7.0.10. The issue stems from inadequate controls on authentication attempts to the FortiClientEMS console, enabling brute force attacks via crafted HTTP or HTTPS requests.

An unauthenticated attacker with network access (AV:N/PR:N) can exploit this vulnerability by repeatedly submitting authentication requests. While the attack requires high complexity (AC:H), success could grant unauthorized access to the console, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Fortinet PSIRT advisory FG-IR-23-476 at https://fortiguard.fortinet.com/psirt/FG-IR-23-476 provides details on mitigation and patches for this vulnerability.

EU & UK References

Vulnerability details

An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through 7.2.4 and before 7.0.10 allows an unauthenticated attacker to try a brute force attack against the FortiClientEMS console via crafted HTTP or HTTPS requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Directly enables brute-force authentication attacks against a remote management console due to missing rate limiting on login attempts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59922Same product: Fortinet Forticlientems
CVE-2026-21643Same product: Fortinet Forticlientems
CVE-2026-35616Same product: Fortinet Forticlientems
CVE-2024-50563Same vendor: Fortinet
CVE-2026-6947Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2025-14362Shared CWE-307
CVE-2026-45364Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2025-69615Shared CWE-307

Affected Assets

fortinet
forticlientems
6.2.0 — 6.2.9 · 6.4.0 — 6.4.9 · 7.0.0 — 7.0.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive invalid logon attempts to the console, comprehensively preventing brute force authentication attacks as described in the CVE.

prevent

Requires timely identification, reporting, and patching of the specific improper restriction flaw in affected FortiClientEMS versions, eliminating the vulnerability.

prevent

Limits the effects of denial-of-service events including brute force authentication attempts via crafted HTTP/HTTPS requests to the console.

References