Vulnerability-Lookup

CVE-2026-25815 (GCVE-0-2026-25815)

Vulnerability from cvelistv5 – Published: 2026-02-05 21:14 – Updated: 2026-02-09 19:31 Disputed

KEVintel KEV

Summary

Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option.

Severity

3.2 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1394 - Use of Default Cryptographic Key

Assigner

mitre

References

2 references

URL	Tags
https://www.cert.at/en/blog/2026/1/threat-actors-…
https://docs.fortinet.com/document/fortimanager/7…

Impacted products

1 product

Vendor	Product	Version
Fortinet	FortiOS	Affected: 0 , ≤ 7.6.6 (custom)

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: d1d39f45-4ea4-4de9-a399-57ec6fbf174c

Vulnerability ID: CVE-2026-25815

Status: Confirmed

Status Updated: 2026-06-01 10:50 UTC

Exploited: Yes

Timestamps

First Seen: 2026-06-01

Asserted: 2026-06-01

Scope

Notes: KEVIntel entry: Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from... | Affected: Fortinet / FortiOS | CVSS: 3.2 (LOW) | EPSS: 0.00094 | Used in malware: unknown | Not yet in CISA KEV: True

Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel

Details

Feed	KEVIntel (kevintel.com)
Title	Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from...
Vendor	Fortinet
Product	FortiOS
Added Date	2026-06-01T10:50:28.686Z
Cvss Score	3.2
Epss Score	0.00094
Cvss Severity	LOW
Epss Percentile	0.00778
Used In Malware	unknown
Ahead Of Cisa Kev	None
Not Yet In Cisa Kev	True

References

Created: 2026-06-19 12:45 UTC | Updated: 2026-06-19 12:45 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T19:31:32.278263Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T19:31:50.964Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "FortiOS",
          "vendor": "Fortinet",
          "versions": [
            {
              "lessThanOrEqual": "7.6.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:fortinet:fortios:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "7.6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers\u0027 installations). NOTE: the Supplier\u0027s position is that the instance of CWE-1394 is not a vulnerability because customers \"are supposed to enable\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \"Managing FortiGates with private data encryption\" document, and is therefore intentionally not a default option."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.2,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1394",
              "description": "CWE-1394 Use of Default Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T01:37:58.928Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords"
        },
        {
          "url": "https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-25815",
    "datePublished": "2026-02-05T21:14:09.241Z",
    "dateReserved": "2026-02-05T21:14:09.087Z",
    "dateUpdated": "2026-02-09T19:31:50.964Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-25815",
      "date": "2026-06-19",
      "epss": "0.00094",
      "percentile": "0.00777"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25815\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2026-02-05T22:15:54.100\",\"lastModified\":\"2026-02-06T15:14:47.703\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers\u0027 installations). NOTE: the Supplier\u0027s position is that the instance of CWE-1394 is not a vulnerability because customers \\\"are supposed to enable\\\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \\\"Managing FortiGates with private data encryption\\\" document, and is therefore intentionally not a default option.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.2,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.4,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1394\"}]}],\"references\":[{\"url\":\"https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords\",\"source\":\"cve@mitre.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25815\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-09T19:31:32.278263Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-09T19:31:38.554Z\"}}], \"cna\": {\"tags\": [\"disputed\"], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Fortinet\", \"product\": \"FortiOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.6.6\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords\"}, {\"url\": \"https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption\"}], \"x_generator\": {\"engine\": \"CVE-Request-form 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers\u0027 installations). NOTE: the Supplier\u0027s position is that the instance of CWE-1394 is not a vulnerability because customers \\\"are supposed to enable\\\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \\\"Managing FortiGates with private data encryption\\\" document, and is therefore intentionally not a default option.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1394\", \"description\": \"CWE-1394 Use of Default Cryptographic Key\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:fortinet:fortios:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"7.6.6\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-02-06T01:37:58.928Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25815\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-09T19:31:50.964Z\", \"dateReserved\": \"2026-02-05T21:14:09.087Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2026-02-05T21:14:09.241Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-25815

Vulnerability from fkie_nvd - Published: 2026-02-05 22:15 - Updated: 2026-06-17 10:25

KEVintel KEV

Severity

3.2 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Summary

References

	URL	Tags
	cve@mitre.org	https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption
	cve@mitre.org	https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unknown",
          "product": "FortiOS",
          "vendor": "Fortinet",
          "versions": [
            {
              "lessThanOrEqual": "7.6.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "cve@mitre.org"
    }
  ],
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "disputed"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers\u0027 installations). NOTE: the Supplier\u0027s position is that the instance of CWE-1394 is not a vulnerability because customers \"are supposed to enable\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \"Managing FortiGates with private data encryption\" document, and is therefore intentionally not a default option."
    },
    {
      "lang": "es",
      "value": "Fortinet FortiOS hasta 7.6.6 permite a los atacantes descifrar credenciales LDAP almacenadas en archivos de configuraci\u00f3n del dispositivo, seg\u00fan se explot\u00f3 en la naturaleza desde el 16-12-2025 hasta 2026 (por defecto, la clave de cifrado es la misma en todas las instalaciones de los clientes). NOTA: la posici\u00f3n del Proveedor es que la instancia de CWE-1394 no es una vulnerabilidad porque se \u0027supone que los clientes deben habilitar\u0027 una opci\u00f3n no predeterminada que elimina la debilidad. Sin embargo, esa opci\u00f3n no predeterminada puede interrumpir la funcionalidad como se muestra en el documento \u0027Managing FortiGates with private data encryption\u0027, y, por lo tanto, no es intencionalmente una opci\u00f3n predeterminada."
    }
  ],
  "id": "CVE-2026-25815",
  "lastModified": "2026-06-17T10:25:17.510",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.2,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.4,
        "impactScore": 1.4,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-25815",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-02-09T19:31:32.278263Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-02-05T22:15:54.100",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1394"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Secondary"
    }
  ]
}

GCVE-1-2026-0015 (CVE-2026-25815)

Vulnerability from gna-1 – Published: 2026-02-09 09:09 – Updated: 2026-02-09 09:14

KEVintel KEV

Title

Threat actors use FortiCloud SSO bypass to collect LDAP connection passwords

Summary

**CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker.** The obtained exploit works only for the original vulnerability and is not effective against patched devices. It is, however, known that the flaw still exists and affects all SSO setups in Fortinet appliances. The exploit behavior is consistent with our previous publication - https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation) . The exploit is prepared to work against FortiGate instances, and in the toolkit, we have found two scripts for the post-exploitation analysis of the collected configuration dumps. The attacker: * looks for the LDAP/AD configuration settings, * is in the possession of the default FortiGate configuration encryption key. The “regular bind“ mode of LDAP/AD connection with FortiGate requires providing user credentials for the appliance, which FortiGate uses to establish a connection with the LDAP server. They are encrypted in the configuration, but by default, the encryption key is static and the same on all instances. We were able to confirm that the key included in the attacker toolkit works on the fresh FortiGate 7.6.5 VM. **Note:** in our tests, we also confirmed that the normal local user passwords are NOT possible to retrieve back. Our understanding is that only the data that is necessary to become back (LDAP connection password for regular bind, private keys for certificates, etc.) could be decrypted. Preventive recommendations -------------------------- We strongly recommend activating the “private data encryption” feature in FortiGate devices, which replaces the default encryption key. This step is also officially recommended by Fortinet as a hardening measure. The encryption key has to be the same in all instances in an HA cluster. Using a custom encryption key helps “buying time” for credential rotation after a configuration leak. As always, CERT.at strongly recommends keeping management interfaces not accessible from the public internet. In the last blog post, the Fortinet PSIRT recommends setting a local-in policy to restrict access on the administrative interface.

Severity

7.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CWE

CWE-1188 - Insecure Default Initialization of Resource

Assigner

GNA-1

References

6 references

URL	Tags
https://fortiguard.fortinet.com/psirt/FG-IR-25-647	vendor-advisory
https://www.fortinet.com/blog/psirt-blogs/analysi…	vendor-advisory
https://docs.fortinet.com/document/fortigate/7.6.…	mitigation
https://community.fortinet.com/t5/FortiGate/Techn…	mitigation
https://docs.fortinet.com/document/fortigate/7.6.…	mitigation
https://docs.fortinet.com/document/fortigate/7.6.…	mitigation

Impacted products

1 product

Vendor	Product	Version
fortinet	fortios	Affected: ≤ 7.6.6

Credits

Kamil Mankowski

Relationships

related CVE-2025-59718
related CVE-2025-59719
overlap CVE-2026-25815

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: d1d39f45-4ea4-4de9-a399-57ec6fbf174c

Vulnerability ID: CVE-2026-25815

Status: Confirmed

Status Updated: 2026-06-01 10:50 UTC

Exploited: Yes

Timestamps

First Seen: 2026-06-01

Asserted: 2026-06-01

Scope

Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel

Details

Feed	KEVIntel (kevintel.com)
Title	Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from...
Vendor	Fortinet
Product	FortiOS
Added Date	2026-06-01T10:50:28.686Z
Cvss Score	3.2
Epss Score	0.00094
Cvss Severity	LOW
Epss Percentile	0.00778
Used In Malware	unknown
Ahead Of Cisa Kev	None
Not Yet In Cisa Kev	True

References

Created: 2026-06-19 12:45 UTC | Updated: 2026-06-19 12:45 UTC

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "fortios",
          "vendor": "fortinet",
          "versions": [
            {
              "lessThanOrEqual": "7.6.6",
              "status": "affected"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kamil Mankowski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e**CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker.**\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eThe obtained exploit works only for the original vulnerability and is not effective against patched devices. It is, however, known that the flaw still exists and affects all SSO setups in Fortinet appliances. The exploit behavior is consistent with our previous publication -\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation)\"\u003ehttps://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThe exploit is prepared to work against FortiGate instances, and in the toolkit, we have found two scripts for the post-exploitation analysis of the collected configuration dumps. The attacker:\u003cbr\u003e\u003cbr\u003e*   looks for the LDAP/AD configuration settings,\u003cbr\u003e*   is in the possession of the default FortiGate configuration encryption key.\u003cbr\u003e\u003cbr\u003eThe \u201cregular bind\u201c mode of LDAP/AD connection with FortiGate requires providing user credentials for the appliance, which FortiGate uses to establish a connection with the LDAP server. They are encrypted in the configuration, but by default, the encryption key is static and the same on all instances. We were able to confirm that the key included in the attacker toolkit works on the fresh FortiGate 7.6.5 VM.\u003cbr\u003e\u003cbr\u003e**Note:** in our tests, we also confirmed that the normal local user passwords are NOT possible to retrieve back. Our understanding is that only the data that is necessary to become back (LDAP connection password for regular bind, private keys for certificates, etc.) could be decrypted.\u003cbr\u003e\u003cbr\u003ePreventive recommendations\u003cbr\u003e--------------------------\u003cbr\u003e\u003cbr\u003eWe strongly recommend activating the \u201cprivate data encryption\u201d feature in FortiGate devices, which replaces the default encryption key. This step is also officially recommended by Fortinet as a hardening measure. The encryption key has to be the same in all instances in an HA cluster. Using a custom encryption key helps \u201cbuying time\u201d for credential rotation after a configuration leak.\u003cbr\u003e\u003cbr\u003eAs always, CERT.at strongly recommends keeping management interfaces not accessible from the public internet. In the last blog post, the Fortinet PSIRT recommends setting a local-in policy to restrict access on the administrative interface.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "**CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker.**\n\n\n\n\nThe obtained exploit works only for the original vulnerability and is not effective against patched devices. It is, however, known that the flaw still exists and affects all SSO setups in Fortinet appliances. The exploit behavior is consistent with our previous publication -\u00a0 https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation) .\n\nThe exploit is prepared to work against FortiGate instances, and in the toolkit, we have found two scripts for the post-exploitation analysis of the collected configuration dumps. The attacker:\n\n*   looks for the LDAP/AD configuration settings,\n*   is in the possession of the default FortiGate configuration encryption key.\n\nThe \u201cregular bind\u201c mode of LDAP/AD connection with FortiGate requires providing user credentials for the appliance, which FortiGate uses to establish a connection with the LDAP server. They are encrypted in the configuration, but by default, the encryption key is static and the same on all instances. We were able to confirm that the key included in the attacker toolkit works on the fresh FortiGate 7.6.5 VM.\n\n**Note:** in our tests, we also confirmed that the normal local user passwords are NOT possible to retrieve back. Our understanding is that only the data that is necessary to become back (LDAP connection password for regular bind, private keys for certificates, etc.) could be decrypted.\n\nPreventive recommendations\n--------------------------\n\nWe strongly recommend activating the \u201cprivate data encryption\u201d feature in FortiGate devices, which replaces the default encryption key. This step is also officially recommended by Fortinet as a hardening measure. The encryption key has to be the same in all instances in an HA cluster. Using a custom encryption key helps \u201cbuying time\u201d for credential rotation after a configuration leak.\n\nAs always, CERT.at strongly recommends keeping management interfaces not accessible from the public internet. In the last blog post, the Fortinet PSIRT recommends setting a local-in policy to restrict access on the administrative interface."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-70",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-70 Try Common or Default Usernames and Passwords"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188 Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-647"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/102264/configuring-an-ldap-server"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-private-data-encryption-feature-on-a/ta-p/339071"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://docs.fortinet.com/document/fortigate/7.6.0/best-practices/555436/hardening#SecurePassStorage"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/363127/local-in-policy"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Threat actors use FortiCloud SSO bypass to collect LDAP connection passwords",
      "x_gcve": [
        {
          "recordType": "update",
          "relationships": [
            {
              "destId": "CVE-2025-59718",
              "type": "related"
            },
            {
              "destId": "CVE-2025-59719",
              "type": "related"
            },
            {
              "destId": "CVE-2026-25815",
              "type": "overlap"
            }
          ],
          "vulnId": "GCVE-1-2026-0015"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "cveId": "CVE-2026-25815",
    "datePublished": "2026-02-09T09:09:00.000Z",
    "dateUpdated": "2026-02-09T09:14:59.004089Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "GCVE-1-2026-0015",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-02-09T09:09:48.357212Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-02-09T09:10:53.252394Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-02-09T09:11:41.464605Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-02-09T09:14:59.004089Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-867W-FFWP-RH44

Vulnerability from github – Published: 2026-02-06 00:30 – Updated: 2026-02-06 00:30

Details

Severity

3.2 (Low)


                  
                    CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-25815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1394"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T22:15:54Z",
    "severity": "LOW"
  },
  "details": "Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers\u0027 installations). NOTE: the Supplier\u0027s position is that the instance of CWE-1394 is not a vulnerability because customers \"are supposed to enable\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \"Managing FortiGates with private data encryption\" document, and is therefore intentionally not a default option.",
  "id": "GHSA-867w-ffwp-rh44",
  "modified": "2026-02-06T00:30:26Z",
  "published": "2026-02-06T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25815"
    },
    {
      "type": "WEB",
      "url": "https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption"
    },
    {
      "type": "WEB",
      "url": "https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25815 (GCVE-0-2026-25815)

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Public Report Successful Exploitation Confidence: 70% Source: kevintel

Details

References

FKIE_CVE-2026-25815

GCVE-1-2026-0015 (CVE-2026-25815)

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Public Report Successful Exploitation Confidence: 70% Source: kevintel

Details

References

GHSA-867W-FFWP-RH44

Tags

Sightings

Nomenclature