Description
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.
Published: 2026-04-14
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability arises from the use of a hard‑coded cryptographic key in FortiClientEMS versions 7.4.0 through 7.4.5. This flaw allows an attacker to decrypt database dumps, potentially exposing sensitive information stored within the client database. The primary impact is the compromise of data confidentiality, as the decryption of the database would reveal user or system data that was intended to remain protected.

Affected Systems

Affected systems include Fortinet FortiClientEMS on all impacted releases: version 7.4.0, 7.4.1, 7.4.3, 7.4.4, and 7.4.5. Users running any of these versions should verify their deployment and assess whether the local database is at risk of being exposed.

Risk and Exploitability

The CVSS score of 5.2 indicates a medium severity level. EPSS data is unavailable, and the vulnerability is not currently listed in the KEV catalog, implying that publicly known exploits are not recorded. Based on the description, it is inferred that the attacker would need to obtain a database dump and to use the hard‑coded key for decryption, meaning local or privileged access is likely required. Regardless, the confidentiality impact warrants prompt remediation through the recommended vendor update.

Generated by OpenCVE AI on April 14, 2026 at 20:47 UTC.

Remediation

Vendor Solution

Upgrade to FortiClientEMS version 7.4.6 or above

OpenCVE Recommended Actions

  • Upgrade to FortiClientEMS version 7.4.6 or later.

Generated by OpenCVE AI on April 14, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Hard‑coded Cryptographic Key Allows Information Disclosure in FortiClientEMS

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via <insert attack vector here> A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via <insert attack vector here>
First Time appeared Fortinet
Fortinet forticlientems
Weaknesses CWE-321
CPEs cpe:2.3:a:fortinet:forticlientems:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientems:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientems:7.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientems:7.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet forticlientems
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Fortinet Forticlientems
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-14T17:41:54.082Z

Reserved: 2026-04-07T15:24:09.072Z

Link: CVE-2026-39810

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:08.715Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:45.173

Modified: 2026-04-14T18:17:39.020

Link: CVE-2026-39810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses