{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-25815", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-05T21:14:09.087Z", "datePublished": "2026-02-05T21:14:09.241Z", "dateUpdated": "2026-02-09T19:31:50.964Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "FortiOS", "vendor": "Fortinet", "versions": [{"lessThanOrEqual": "7.6.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers \"are supposed to enable\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \"Managing FortiGates with private data encryption\" document, and is therefore intentionally not a default option."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1394", "description": "CWE-1394 Use of Default Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-06T01:37:58.928Z"}, "references": [{"url": "https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords"}, {"url": "https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortios:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.6.6"}]}]}], "tags": ["disputed"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T19:31:32.278263Z", "id": "CVE-2026-25815", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T19:31:50.964Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25815", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T19:31:32.278263Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T19:31:38.554Z"}}], "cna": {"tags": ["disputed"], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortinet", "product": "FortiOS", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "7.6.6"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords"}, {"url": "https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers \"are supposed to enable\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \"Managing FortiGates with private data encryption\" document, and is therefore intentionally not a default option."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1394", "description": "CWE-1394 Use of Default Cryptographic Key"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "7.6.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-06T01:37:58.928Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25815", "state": "PUBLISHED", "dateUpdated": "2026-02-09T19:31:50.964Z", "dateReserved": "2026-02-05T21:14:09.087Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-05T21:14:09.241Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers \"are supposed to enable\" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the \"Managing FortiGates with private data encryption\" document, and is therefore intentionally not a default option."}, {"lang": "es", "value": "Fortinet FortiOS hasta 7.6.6 permite a los atacantes descifrar credenciales LDAP almacenadas en archivos de configuraci\u00f3n del dispositivo, seg\u00fan se explot\u00f3 en la naturaleza desde el 16-12-2025 hasta 2026 (por defecto, la clave de cifrado es la misma en todas las instalaciones de los clientes). NOTA: la posici\u00f3n del Proveedor es que la instancia de CWE-1394 no es una vulnerabilidad porque se 'supone que los clientes deben habilitar' una opci\u00f3n no predeterminada que elimina la debilidad. Sin embargo, esa opci\u00f3n no predeterminada puede interrumpir la funcionalidad como se muestra en el documento 'Managing FortiGates with private data encryption', y, por lo tanto, no es intencionalmente una opci\u00f3n predeterminada."}], "id": "CVE-2026-25815", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-05T22:15:54.100", "references": [{"source": "cve@mitre.org", "url": "https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption"}, {"source": "cve@mitre.org", "url": "https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1394"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:58:51.725780+00:00", "value": {"mitigation_remediation": ["Upgrade FortiOS to the latest patched release that removes the default encryption key reuse issue.", "If an upgrade is not immediately possible, enable the FortiManager\u2011supported private data encryption option to use a unique, non\u2011default key for each device; be aware this may affect some management functionalities as noted in the documentation.", "Restrict filesystem permissions and network access to the FortiGate configuration files, ensuring only authorized administrative accounts or processes can read them."], "summary": {"action": "Patch Immediately", "impact": "Credential Theft"}, "threat_synthesis": {"affected_systems": "All FortiGate devices running FortiOS 7.6.6 or earlier are potentially impacted. The affected product is Fortinet FortiOS, as identified by the vendor/product CPE string. No specific device models are listed, so the risk applies broadly to any FortiGate appliance storing configuration data in the standard format.", "description_and_impact": "The vulnerability exists in Fortinet FortiOS versions up to 7.6.6. It allows an attacker who has access to the device's configuration files to decrypt LDAP credentials, exposing administrators' usernames and passwords. The weakness arises because the default encryption key is identical for all customers. Attackers could then use these credentials to access unauthorized services or compromise the FortiGate device.", "risk_and_exploitability": "The CVSS score of 3.2 indicates a low severity, but the vulnerability has been actively exploited in the wild from December 2025 through 2026. EPSS is less than 1%, suggesting a very low probability of exploitation, yet real-world activity contradicts that low statistical likelihood. Likely attackers already possess read access to the configuration files\u2014through local or remotely misconfigured management interfaces\u2014and then leverage the default key to recover LDAP credentials. The weakness is classified as CWE-1394, a cryptographic issue involving key management. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-17T23:00:12.656575+00:00", "title": "LDAP Credentials Decryption via Default Encryption Key in FortiOS 7.6.6", "updated": "2026-04-17T23:00:12.656591+00:00", "vendors": []}