CVE-2019-16150 — Hard-coded Credentials in Fortinet Forticlient

CWE-798 — Hard-coded Credentials4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 55.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Forticlient Fortinet Forticlient FOR Windows

Timeline

PublishedJun 4

Latest updateMay 24

Description

Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded key.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5fortinet/fortinet_forticlient_for_windowsFortiClient for Windows below 6.4.0

▶NVDfortinet/forticlient< 6.4.0

🔴Vulnerability Details

GHSA

GHSA-mvwj-8rw2-6r9x: Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6↗2022-05-24

▶

CVEList

CVE-2019-16150: Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6↗2020-06-04

▶

📋Vendor Advisories

Fortinet

Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClie...↗2020-06-04

▶