PSIRT

Hardcoded Encryption Key Used for VPN Saved Passwords

Summary

A Missing Authorization [CWE-862] in FortiClient Windows may allow an authenticated local attacker to decrypt a currently logged in users VPN password via use of an unprotected DLL function.

Version	Affected	Solution
FortiClientWindows 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiClientWindows 7.2	7.2 all versions	Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thank Alex Ghiotto of HackerHood Research Group for reporting this vulnerability under responsible disclosure.

Timeline

2026-05-12: Initial publication

IR Number	FG-IR-26-129
Published Date	May 12, 2026
Component	GUI
Severity	Low
Discovered	External
Attack Type	Authenticated
Known Exploited	No
CVSSv3 Score	2.1
Impact	Information disclosure
CVE ID
Download	CVRF CSAF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Hardcoded Encryption Key Used for VPN Saved Passwords

Summary

Acknowledgement

Timeline