Skip to main content

Fortimail CVE-2023-47539

CRITICAL
Improper Access Control (CWE-284)
2025-03-18 psirt@fortinet.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:32 vuln.today
CVE Published
Mar 18, 2025 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP request.

AnalysisAI

An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-284. An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP request. Affected products include: Fortinet Fortimail. Version information: version 7.4.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-9294 CRITICAL POC
9.8 Apr 27

An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 an

CVE-2021-24020 CRITICAL
9.8 Jul 09

A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.

CVE-2021-24007 CRITICAL
9.8 Jul 09

Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow

CVE-2013-1471 MEDIUM POC
4.3 Feb 04

Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin.html in Fortinet FortiMail before 4.3.4 on FortiMai

CVE-2023-36556 HIGH
8.8 Oct 10

An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 throu

CVE-2021-26095 HIGH
8.8 Jul 20

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 thr

CVE-2021-24015 HIGH
8.8 Jul 12

An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of Fo

CVE-2021-22129 HIGH
8.8 Jul 09

Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail befo

CVE-2022-26122 HIGH
8.6 Nov 02

An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engin

CVE-2014-8617 MEDIUM POC
4.3 Mar 04

Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMai

CVE-2022-22299 HIGH
7.8 Aug 05

A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6.0.0 through 6.0.4, FortiAD

CVE-2021-26091 HIGH
7.5 Mar 24

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Base

Share

CVE-2023-47539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy