FortiOS - Hardcoded SSLVPN cookie encryption key


A use of hard-coded cryptographic key vulnerability [CWE 321] in FortiOS SSLVPN may allow an attacker to retrieve the key by reverse engineering.

Affected Products

FortiOS 6.4.5 and below.
FortiOS 6.2.8 and below.
FortiOS 6.0.12 and below.
FortiOS 5.6.13 and below.


Upgrade to FortiOS 7.0.0 or above.
Upgrade to FortiOS 6.4.6 or above.
Upgrade to FortiOS 6.2.10 or above.
Upgrade to FortiOS 6.0.13 or above.
Upgrade to FortiOS 5.6.14 or above.

For new high-end F-Series Models (FG-1800F, FG-3800F, FG-4200F, FG-4400F) please upgrade to 6.2.9