FortiDeceptor <3.1: Unrestricted Auth Attempts Causing DoS via HTTP Login
CVE-2023-26209 Published on March 9, 2023
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiDeceptor 3.1.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
Vulnerability Analysis
CVE-2023-26209 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Improper Restriction of Excessive Authentication Attempts
The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
Products Associated with CVE-2023-26209
Want to know whenever a new CVE is published for Fortinet Fortideceptor? stack.watch will email you.
Affected Versions
Fortinet FortiDeceptor:- Version 3.1.0, <= 3.1.1 is affected.
- Version 3.0.0, <= 3.0.2 is affected.
- Version 2.1.0 is affected.
- Version 2.0.0 is affected.
- Version 1.1.0 is affected.
- Version 1.0.0, <= 1.0.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.