CVE-2024-23106

High

Published: 14 January 2025

Published

14 January 2025

Modified

16 July 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0099 77.0th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through 7.2.4 and before 7.0.10 allows an unauthenticated attacker to try a brute force attack against the FortiClientEMS console via crafted HTTP or HTTPS requests.

Security Summary

CVE-2024-23106 is an improper restriction of excessive authentication attempts vulnerability (CWE-307) in FortiClientEMS versions 7.2.0 through 7.2.4 and before 7.0.10. The issue stems from inadequate controls on authentication attempts to the FortiClientEMS console, enabling brute force attacks via crafted HTTP or HTTPS requests.

An unauthenticated attacker with network access (AV:N/PR:N) can exploit this vulnerability by repeatedly submitting authentication requests. While the attack requires high complexity (AC:H), success could grant unauthorized access to the console, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Fortinet PSIRT advisory FG-IR-23-476 at https://fortiguard.fortinet.com/psirt/FG-IR-23-476 provides details on mitigation and patches for this vulnerability.

Details

CWE(s): CWE-307

Affected Products

fortinet

forticlientems

6.2.0 — 6.2.9 · 6.4.0 — 6.4.9 · 7.0.0 — 7.0.11

References

https://fortiguard.fortinet.com/psirt/FG-IR-23-476
Vendor Advisory · psirt@fortinet.com