CVE-2021-26087 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-26087 PUBLISHED CVSS 9.100000381469727 CRITICAL

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

EPSS 0.05% · 16.3th percentile

Risk Scores

CVSS v3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.05%

16.3th percentile

Affected Products

Vendor	Product	Versions
Fortinet	Fortinet FortiOS, FortiProxy	FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10, FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7

Timeline

Jun 2, 2021 CVE Published
Jun 13, 2022 PoC Published
Jun 14, 2023 PoC Published
Dec 24, 2024 PoC Published
Feb 23, 2025 PoC Published
Mar 18, 2025 EPSS Score
Mar 31, 2025 EPSS Score
Apr 13, 2025 EPSS Score
Apr 25, 2025 EPSS Score
May 8, 2025 EPSS Score
May 21, 2025 EPSS Score
Jun 3, 2025 EPSS Score

References

https://www.fortiguard.com/psirt/FG-IR-21-002 advisory
https://www.fortiguard.com/psirt/FG-IR-20-049 advisory
https://www.fortiguard.com/psirt/FG-IR-20-231 advisory
https://www.fortiguard.com/psirt/FG-IR-21-006 advisory
https://www.fortiguard.com/psirt/FG-IR-18-157 advisory
https://www.fortiguard.com/psirt/FG-IR-21-001 advisory
https://www.fortiguard.com/psirt/FG-IR-20-233 advisory
https://www.fortiguard.com/psirt/FG-IR-20-147 advisory
https://www.fortiguard.com/psirt/FG-IR-21-018 advisory
https://www.fortiguard.com/psirt/FG-IR-20-137 advisory
https://www.fortiguard.com/psirt/FG-IR-20-120 advisory
https://www.fortiguard.com/psirt/FG-IR-20-199 advisory
https://www.fortiguard.com/psirt/FG-IR-21-026 advisory
https://fortiguard.com/advisory/FG-IR-18-389 url
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13382 url

Open in Interactive Console →