CVE-2021-26091
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2021-26091 is a use of a cryptographically weak pseudo-random number generator vulnerability, classified under CWE-338, affecting the authenticator in the Identity Based Encryption service of FortiMail versions 6.4.0 through 6.4.4 and 6.2.0 through 6.2.7. Published on 2025-03-24T16:15:16.450, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.
An unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation may allow the attacker to infer portions of users' authentication tokens, enabling credential resets for affected accounts.
The FortiGuard advisory FG-IR-21-031 (https://fortiguard.com/advisory/FG-IR-21-031) details mitigations and patches for this issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remotely exploitable weakness in the authentication token generation of a public-facing FortiMail service, allowing unauthenticated network attackers to infer tokens and perform credential resets, which directly aligns with exploiting public-facing applications.