Login Sign Up

CVE-2021-26095

7.5 HIGH

📋 TL;DR

This vulnerability allows remote attackers who have obtained a session cookie to decrypt, modify, or forge its contents, potentially leading to privilege escalation. It affects FortiMail email security appliances running vulnerable versions. Attackers could gain unauthorized access to administrative functions or user accounts.

💻 Affected Systems

Products:
  • FortiMail
Versions: 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6
Operating Systems: Fortinet's custom OS
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations using vulnerable versions are affected. The vulnerability is in the session management system itself.

📦 What is this software?

Fortimail by Fortinet

View all CVEs affecting Fortimail →

Fortimail by Fortinet

View all CVEs affecting Fortimail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative compromise of FortiMail appliance, allowing attacker to intercept all email traffic, modify security policies, and potentially pivot to internal networks.

🟠

Likely Case

Privilege escalation from low-privilege user to administrator or from unauthenticated to authenticated user, enabling email interception and system configuration changes.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring of administrative access patterns.

🌐 Internet-Facing: HIGH - FortiMail appliances are typically internet-facing email gateways, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal attackers with network access could exploit this, but external attackers pose greater risk due to internet exposure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires attacker to first obtain a valid session cookie through other means (phishing, MITM, etc.), then perform cryptographic analysis and manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiMail 6.4.5 and 6.2.7 or later

Vendor Advisory: https://fortiguard.com/advisory/FG-IR-21-019

Restart Required: Yes

Instructions:

1. Download latest firmware from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot appliance. 5. Verify version and functionality.

🔧 Temporary Workarounds

Restrict administrative access

all

Limit administrative interface access to specific trusted IP addresses only

config system interface
edit <interface_name>
set allowaccess https ssh
set trust-ip-1 <trusted_ip>
end

Implement MFA

all

Enable multi-factor authentication for all administrative accounts

config system admin
edit <admin_user>
set two-factor enable
set two-factor-method fortitoken
end

🧯 If You Can't Patch

  • Isolate FortiMail appliance behind firewall with strict inbound/outbound rules
  • Implement network segmentation to limit potential lateral movement if compromised

🔍 How to Verify

Check if Vulnerable:

Check FortiMail version via web interface (System > Dashboard) or CLI command: get system status

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is 6.4.5+ or 6.2.7+ and test session cookie generation/validation

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful login from different IP
  • Unusual administrative actions from non-standard IP addresses
  • Session ID anomalies or reuse

Network Indicators:

  • Unusual traffic patterns to/from FortiMail administrative interface
  • Multiple session establishment attempts

SIEM Query:

source="fortimail" AND (event_type="admin_login" AND src_ip NOT IN [trusted_ips]) OR (event_type="config_change" AND user!="expected_admin")

📊 Metadata

CVE ID: CVE-2021-26095
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: July 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON