CVE-2026-25815
CVE-2026-25815
In short
Fortinet FortiOS versions up to 7.6.6 use a default encryption key that is identical across all customer installations, allowing attackers to decrypt stored LDAP credentials from configuration files. This weakness has been actively exploited since December 2025.
Technical detail
CWE-1394 (Use of a Broken or Risky Cryptographic Algorithm) manifests as weak cryptographic protection of LDAP credentials in FortiOS device configurations due to a shared default encryption key across all deployments. An attacker with access to configuration files (via file disclosure or device compromise) can decrypt stored credentials without authentication, bypassing intended access controls.
Summary generated and translated by AI from the official description.
Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected products
Fortinet · FortiOSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →