Two security vulnerabilities have been detected in FortiMail, the solution for the protection of enterprise email infrastructure developed by Fortinet. According to the report, the successful exploitation of the flaws would open the door to various risk scenarios.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-32586: Insufficient validation of user-provided inputs in CGI installations of the web server would allow unauthenticated remote threat actors to send specially crafted HTTP requests and alter the underlying script interpreter environment.

The flaw received a CVSS score of 6.7/10 and its malicious exploitation would allow full compromise of the affected system.

CVE-2021-36166: A logical error in FortiMail would allow remote hackers to guess the administrator’s authentication token by observing certain properties on the system, allowing the authentication process to be evaded and gaining full access to the affected system.

This is a critical vulnerability and received a CVSS score of 8.5/10.

According to the report, the flaws reside in all versions of Fortinet FortiMail between v6.0.0 and v6.4.5.

While vulnerabilities can be exploited by unauthenticated threat actors, no active exploitation attempts have been detected so far. Still, Fortinet recommends that users of affected deployments install the available updates as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.