Hardcoded Encryption Key in FortiClient Windows Lets Local Attackers Decrypt VPN Passwords
Fortinet disclosed a missing authorization vulnerability in FortiClient for Windows that allows an authenticated local attacker to decrypt a logged-in user's VPN password via an unprotected DLL function.
Fortinet has disclosed a missing authorization vulnerability (CWE-862) in its FortiClient VPN software for Windows, tracked as FG-IR-26-129, that allows an authenticated local attacker to decrypt the VPN password of the currently logged-in user. The flaw, which carries a CVSS score of just 2.1 due to its local attack vector and authentication requirement, stems from a hardcoded encryption key used to protect saved VPN passwords. By calling an unprotected DLL function, an attacker with local access can recover the plaintext password, potentially enabling lateral movement or credential reuse across the network.
The vulnerability affects FortiClient Windows versions 7.4.0 through 7.4.2, as well as all versions of FortiClient Windows 7.2. Fortinet has released FortiClient Windows 7.4.3 to address the issue, while users of the 7.2 branch are advised to migrate to a fixed release. The advisory was initially published on May 12, 2026, and no CVEs were assigned to the flaw.
While the CVSS score is low, the practical risk may be higher in enterprise environments where FortiClient is deployed on shared workstations or multi-user systems. An attacker who gains local access—through malware, physical access, or compromised credentials—could silently extract VPN passwords and use them to access internal networks or escalate privileges. The use of a hardcoded encryption key means that any attacker who reverse-engineers the client can decrypt passwords without needing additional secrets.
The vulnerability was reported by Alex Ghiotto of HackerHood Research Group under responsible disclosure. Fortinet acknowledged the researcher's contribution in the advisory but did not provide details on whether the flaw has been exploited in the wild. The company recommends that all users upgrade to the latest version of FortiClient Windows to mitigate the risk.
This disclosure adds to a growing list of vulnerabilities involving hardcoded cryptographic keys in enterprise VPN clients. Earlier this year, researchers found a similar hardcoded key in the MAXHUB Pivot client that exposed tenant data. The pattern underscores the danger of embedding static secrets in client software, where they can be extracted by anyone with local access or through reverse engineering. For organizations relying on VPNs for remote access, the incident serves as a reminder to enforce strong local security controls and to treat saved credentials with caution.