Description
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via <insert attack vector here>
Published: 2026-05-12
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the use of a hard‑coded cryptographic key in Fortinet FortiClientWindows versions 7.4.0 through 7.4.2 and all 7.2 releases. Attackers could potentially exploit this weakness to read data protected by the hardened key, thereby exposing confidential information. This flaw maps to CWE‑321, which represents weak or predictable cryptographic keys.

Affected Systems

FortiClientWindows from Fortinet, specifically the 7.4.0‑7.4.2 releases and every 7.2.x series. Systems running any of these versions are vulnerable.

Risk and Exploitability

The CVSS score is 2.1, indicating a low risk level, and no EPSS figure is currently available. The vulnerability is not listed in the CISA KEV catalog. The official description does not state an attack vector, so the exact method of exploitation is not known. However, the presence of a hard‑coded key suggests that if an attacker can read application configuration or memory, information disclosure could be achieved.

Generated by OpenCVE AI on May 12, 2026 at 20:14 UTC.

Remediation

Vendor Solution

Upgrade to FortiClientWindows version 7.4.3 or above

OpenCVE Recommended Actions

  • Upgrade FortiClientWindows to version 7.4.3 or later, which removes the hard‑coded key.
  • If upgrading is temporarily infeasible, disable any features that rely on the compromised key or reconfigure the client to use a non‑predictable key.
  • Continuously monitor the client’s logs for abnormal decryption activity and ensure that only authorized users can access FortiClientWindows.

Generated by OpenCVE AI on May 12, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet forticlient
CPEs cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*
Vendors & Products Fortinet forticlient

Tue, 12 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Hard‑coded Cryptographic Key Leading to Information Disclosure in FortiClientWindows

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via <insert attack vector here>
First Time appeared Fortinet
Fortinet forticlientwindows
Weaknesses CWE-321
CPEs cpe:2.3:a:fortinet:forticlientwindows:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.10:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.11:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.12:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.13:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.14:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.2.9:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlientwindows:7.4.2:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet forticlientwindows
References
Metrics cvssV3_1

{'score': 2.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

Subscriptions

Fortinet Forticlient Forticlientwindows
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-05-14T15:28:56.927Z

Reserved: 2026-05-05T17:24:17.727Z

Link: CVE-2026-44278

cve-icon Vulnrichment

Updated: 2026-05-12T19:02:39.152Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:30.177

Modified: 2026-05-16T01:59:57.023

Link: CVE-2026-44278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:00:18Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key