Description
Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option.
Published: 2026-02-05
Score: 3.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credential Theft
Action: Patch Immediately
AI Analysis

Impact

The vulnerability exists in Fortinet FortiOS versions up to 7.6.6. It allows an attacker who has access to the device's configuration files to decrypt LDAP credentials, exposing administrators' usernames and passwords. The weakness arises because the default encryption key is identical for all customers. Attackers could then use these credentials to access unauthorized services or compromise the FortiGate device.

Affected Systems

All FortiGate devices running FortiOS 7.6.6 or earlier are potentially impacted. The affected product is Fortinet FortiOS, as identified by the vendor/product CPE string. No specific device models are listed, so the risk applies broadly to any FortiGate appliance storing configuration data in the standard format.

Risk and Exploitability

The CVSS score of 3.2 indicates a low severity, but the vulnerability has been actively exploited in the wild from December 2025 through 2026. EPSS is less than 1%, suggesting a very low probability of exploitation, yet real-world activity contradicts that low statistical likelihood. Likely attackers already possess read access to the configuration files—through local or remotely misconfigured management interfaces—and then leverage the default key to recover LDAP credentials. The weakness is classified as CWE-1394, a cryptographic issue involving key management. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FortiOS to the latest patched release that removes the default encryption key reuse issue.
  • If an upgrade is not immediately possible, enable the FortiManager‑supported private data encryption option to use a unique, non‑default key for each device; be aware this may affect some management functionalities as noted in the documentation.
  • Restrict filesystem permissions and network access to the FortiGate configuration files, ensuring only authorized administrative accounts or processes can read them.

Generated by OpenCVE AI on April 17, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Title LDAP Credentials Decryption via Default Encryption Key in FortiOS 7.6.6

Mon, 09 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option.
First Time appeared Fortinet
Fortinet fortios
Weaknesses CWE-1394
CPEs cpe:2.3:a:fortinet:fortios:*:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortios
References
Metrics cvssV3_1

{'score': 3.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Fortinet Fortios
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-09T19:31:50.964Z

Reserved: 2026-02-05T21:14:09.087Z

Link: CVE-2026-25815

cve-icon Vulnrichment

Updated: 2026-02-09T19:31:38.554Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T22:15:54.100

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses