Fortinet Discloses Credential Exposure Vulnerability in FortiSOAR

Fortinet has disclosed a vulnerability in its FortiSOAR security orchestration, automation, and response (SOAR) platform that could allow authenticated attackers to retrieve stored credentials for multiple connectors. The flaw, tracked as CWE-257 (Storing Passwords in a Recoverable Format), carries a CVSS score of 4.1 and affects both cloud-based (PaaS) and on-premises deployments.

The vulnerability arises from passwords being stored in a recoverable format within the connector configuration. An authenticated remote attacker can exploit this by modifying the server address in the connector configuration, which triggers the system to return the stored password in clear text. This enables the attacker to extract credentials for all installed connectors, potentially leading to lateral movement or access to integrated systems.

FortiSOAR PaaS versions 7.6.0 through 7.6.4, 7.5.0 through 7.5.2, and all versions of 7.4 and 7.3 are affected. Similarly, on-premises versions 7.6.0 through 7.6.4, 7.5.0 through 7.5.2, and all versions of 7.4 and 7.3 are vulnerable. Fortinet has released patches for the supported versions: upgrade to FortiSOAR PaaS 7.6.5 or above, or 7.5.3 or above. For versions 7.4 and 7.3, which are no longer supported, Fortinet recommends migrating to a fixed release.

The vulnerability was internally discovered and reported by Shripal Rawal of the Fortinet PSIRT team. Fortinet has not reported any active exploitation in the wild, but the disclosure serves as a critical reminder for organizations to apply patches promptly and review their SOAR connector configurations for any signs of unauthorized access.

This disclosure follows a pattern of credential exposure vulnerabilities in enterprise platforms, highlighting the importance of secure credential storage practices. Organizations using FortiSOAR should prioritize upgrading to the latest versions to mitigate the risk of credential theft.