CVE-2021-26091 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-26091?

CVE-2021-26091 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to infer parts of user authentication tokens due to a weak random number generator in FortiMail's Identity Based Encryption service. Attackers could potentially reset user credentials. Affects FortiMail versions 6.4.0-6.4.4 and 6.2.0-6.2.7.

📋 TL;DR

This vulnerability allows unauthenticated attackers to infer parts of user authentication tokens due to a weak random number generator in FortiMail's Identity Based Encryption service. Attackers could potentially reset user credentials. Affects FortiMail versions 6.4.0-6.4.4 and 6.2.0-6.2.7.

💻 Affected Systems

Products:

FortiMail

Versions: 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7

Operating Systems: FortiMail OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Identity Based Encryption service authenticator component. All configurations using affected versions are vulnerable.

📦 What is this software?

Fortimail by Fortinet

View all CVEs affecting Fortimail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could reset credentials for all users, gaining unauthorized access to email accounts and potentially using them for further attacks.

🟠

Likely Case

Targeted credential resets for specific users, leading to account compromise and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still represents authentication bypass risk.

🌐 Internet-Facing: HIGH - Unauthenticated attackers can exploit this remotely if FortiMail is internet-facing.

🏢 Internal Only: MEDIUM - Internal attackers could exploit, but requires network access to FortiMail service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of cryptographic weaknesses and token generation patterns. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiMail 6.4.5 and 6.2.8 or later

Vendor Advisory: https://fortiguard.com/advisory/FG-IR-21-031

Restart Required: No

Instructions:

1. Download latest firmware from Fortinet support portal. 2. Backup configuration. 3. Apply firmware update via web interface or CLI. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable Identity Based Encryption Service

FortiMail

Temporarily disable the vulnerable service if not required for operations

config system ibe
set status disable
end

🧯 If You Can't Patch

Implement network segmentation to restrict access to FortiMail management interfaces
Enable detailed logging and monitoring for authentication token generation and credential reset events

🔍 How to Verify

Check if Vulnerable:

Check FortiMail version via web interface (System > Status) or CLI command 'get system status'

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is 6.4.5+ or 6.2.8+ and check that Identity Based Encryption service uses proper cryptographic random generation

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful credential resets
Unusual patterns in authentication token generation logs

Network Indicators:

Unusual traffic to FortiMail IBE service ports from unexpected sources
Multiple credential reset requests from single IP

SIEM Query:

source="fortimail" AND (event="authentication_failure" OR event="credential_reset") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-26091

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-338

EPSS Score: 0.15% exploit probability (35.4th percentile)

Published: March 24, 2025

Last Updated: July 23, 2025

🔗 References

https://fortiguard.com/advisory/FG-IR-21-031 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26091, you might also want to check these: