Authentication Lockout Bypass via Race Condition

Low Risk3.4FG-IR-26-079Mar 10, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A race condition in FortiAnalyzer and FortiManager versions 6.4, 7.0, 7.2, 7.4, and 7.6.0–7.6.4 allows authentication lockout protection to be bypassed for a brief window. An attacker can exploit this by sending concurrent authentication requests, permitting additional password guesses before the account lockout is enforced. The vulnerability affects both on-premises and cloud deployments. Fortinet has released patches for version 7.6.5 and later; older versions (6.4–7.4) require migration to a fixed release.

What this means

What could happen

An attacker could bypass login lockout protections and attempt multiple password guesses within a narrow time window due to a race condition, potentially gaining unauthorized access to FortiAnalyzer or FortiManager management systems that control your security appliances and log aggregation.

Who's at risk

Organizations deploying Fortinet FortiAnalyzer or FortiManager (on-premises or cloud-hosted) for centralized log aggregation, reporting, and security appliance management. This includes utility companies, municipalities, and industrial facilities using Fortinet as their primary security monitoring backbone. FortiAnalyzer Cloud and FortiManager Cloud customers should coordinate with Fortinet for cloud-side patching.

How it could be exploited

An attacker sends multiple authentication requests simultaneously to the management interface (port 443, web UI or API) in rapid succession. The race condition allows some requests to bypass the brute-force lockout counter, enabling more password attempts than the lockout policy should allow before the account is temporarily disabled.

Prerequisites

Network access to FortiAnalyzer or FortiManager management interface (port 443)
Valid username (attacker can attempt dictionary/common credentials)
Ability to send rapid concurrent requests (automated tooling)

remotely exploitablelow authentication complexityrace condition enables brute-force accelerationaffects management system with privileged access to security infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (20)

20 with fix

ProductAffected VersionsFix Status

FortiAnalyzer7.6.0 - 7.6.47.6.5+

FortiAnalyzer7.4 all versionsMigrate to fixed release

FortiAnalyzer7.2 all versionsMigrate to fixed release

FortiAnalyzer7.0 all versionsMigrate to fixed release

FortiAnalyzer6.4 all versionsMigrate to fixed release

Remediation & Mitigation

0/5

Do now

0/2

FortiAnalyzer

HARDENINGRestrict network access to the FortiAnalyzer/FortiManager management interface to authorized administrative subnets only

All products

WORKAROUNDImplement IP-based rate limiting or WAF rules to block rapid-fire login attempts from a single source

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

FortiAnalyzer

HOTFIXUpdate FortiAnalyzer and FortiManager to version 7.6.5 or later if currently running 7.6.0–7.6.4

HOTFIXFor FortiAnalyzer and FortiManager running versions 7.4, 7.2, 7.0, or 6.4, plan and execute migration to a supported fixed release (7.6.5+)

Long-term hardening

0/1

HARDENINGReview and strengthen account lockout policies (increase lockout duration, reduce attempt threshold) as a compensating control

CVEs (1)

CVE-2026-22629

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a7c5e41b-9860-4cf0-b267-e4926cd441fe

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.