CVE-2020-9294

CRITICAL

FortiMail Unauthenticated Login Bypass Scanner

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-9294. PoCs published by Mike Connor, including Metasploit module auxiliary/scanner/http/fortimail_login_bypass_detection.

AI-analyzed exploit summary This Metasploit module scans for FortiMail instances vulnerable to an unauthenticated login bypass (CVE-2020-9294) by checking the version in the response body. It does not exploit the vulnerability but detects vulnerable versions.

Description

An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 and 6.0.1 may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface.

Exploits (1)

metasploit SCANNER

by Mike Connor · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.rb

View Code ZIP pw:eip

This Metasploit module scans for FortiMail instances vulnerable to an unauthenticated login bypass (CVE-2020-9294) by checking the version in the response body. It does not exploit the vulnerability but detects vulnerable versions.

Classification

Scanner 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: FortiMail (builds 140-160, 730-745, 250-263)

No auth needed

Prerequisites: Network access to the FortiMail admin interface

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://fortiguard.com/psirt/FG-IR-20-045

Scores

CVSS v3 9.8

EPSS 0.7778

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (2)

fortinet/fortimail < 5.4.10

fortinet/fortivoice 6.0.0 - 6.0.1

Published Apr 27, 2020

Tracked Since Feb 18, 2026