CVE-2026-24017
Published: 10 March 2026
Summary
CVE-2026-24017 is a high-severity Improper Control of Interaction Frequency (CWE-799) vulnerability in Fortinet Fortiweb. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces limits on consecutive unsuccessful logon attempts, directly countering brute-force attacks enabled by bypassing FortiWeb's authentication rate-limit.
Provides denial-of-service protection mechanisms like rate limiting to restrict excessive crafted requests that exploit the interaction frequency vulnerability.
Requires timely identification, reporting, and remediation of software flaws such as this improper control of interaction frequency in FortiWeb.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing FortiWeb enables exploitation (T1190) and bypasses rate-limiting to facilitate brute-force authentication attacks (T1110).
NVD Description
An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the…
more
authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
Deeper analysisAI
CVE-2026-24017 is an Improper Control of Interaction Frequency vulnerability (CWE-799) in Fortinet FortiWeb versions 8.0.0 through 8.0.2, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. Published on 2026-03-10, it allows a remote unauthenticated attacker to bypass authentication rate-limiting via crafted requests. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts under network access with high attack complexity.
A remote unauthenticated attacker can exploit this vulnerability by crafting requests that evade the authentication rate-limit controls. This enables accelerated authentication attempts, such as brute-force attacks against login mechanisms. The attack's success hinges on the attacker's available resources and the complexity of the targeted password.
Fortinet's advisory FG-IR-26-082, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-082, provides details on the vulnerability. Security practitioners should review this reference for recommended mitigations and patching guidance.
Details
- CWE(s)