An improper export of Android application components in Fortinet FortiTokenAndroid versions 5.2.x, 6.1.x, and 6.2.x may allow an attacker to gain unauthorized access to privileged interfaces or data by exploiting exported activities or services. The vulnerability can lead to the exposure of token credentials or other sensitive data, potentially enabling unauthorized authentication or privilege escalation. This weakness is classified as CWE-926.

Fortinet FortiTokenAndroid on Android devices is affected in all 5.2.x, 6.1.x, and 6.2.x releases. The issue is mitigated by upgrading to version 6.4.0 or newer.

We rate the severity with a CVSS score of 5, indicating a medium risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, implying no known mass exploit. Based on the description, the flaw appears to be exploitable via local or remote component export, requiring an attacker to trigger an exported activity or service. Since the vector is not explicitly described, the practical exploitability may depend on device configuration and the presence of malicious third‑party applications. Overall, the risk is moderate without a publicly known exploit but could be leveraged by attackers with sufficient Android privilege or a compromised device.