Hardcoded Encryption Key in FortiClientEMS Exposes PostgreSQL Database Dumps
Fortinet disclosed a hardcoded symmetric encryption key vulnerability in FortiClientEMS, rated CVSS 5.2, that allows attackers with an encrypted database dump to decrypt it using the embedded key.
Fortinet disclosed a use of hard-coded cryptographic key vulnerability (CWE-321, CVSS 5.2) in FortiClientEMS that could allow an attacker in possession of an encrypted dump of the database to decrypt it. The advisory, tracked as FG-IR-26-107, was published on April 14, 2026, and affects FortiClientEMS 7.4.0 through 7.4.5.
The flaw resides in the PostgreSQL database encryption mechanism used by FortiClientEMS. A hardcoded symmetric encryption key is embedded in the product, meaning any attacker who obtains an encrypted database dump—for example, through a separate backup exposure or insider access—can leverage the publicly known key to decrypt the entire contents offline. No authentication against the live service is required, making the attack viable for exfiltration scenarios.
FortiClientEMS is Fortinet's enterprise endpoint management and security solution, deployed in organizations to manage FortiClient endpoints, enforce policies, and collect telemetry. The PostgreSQL database stores configuration data, endpoint inventories, policy definitions, and potentially user credentials or session tokens. An attacker who successfully decrypts the database could gain deep visibility into the managed environment and pivot to compromise additional systems.
The vulnerability was internally discovered and reported by David Maciejak of Fortinet's Product Security team. Fortinet has released FortiClientEMS version 7.4.6, which removes the hardcoded key and implements a properly randomized encryption key generation mechanism. Users running versions 7.4.0 through 7.4.5 are advised to upgrade immediately. Versions 7.2 and 7.0 are not affected.
While the CVSS 5.2 rating places this vulnerability in the medium severity tier, the actual risk depends on an organization's backup and data exposure posture. Hardcoded cryptographic keys have been a recurring pattern in enterprise software—similar flaws have been found in products ranging from MAXHUB Pivot clients to legacy VPN appliances—and they underscore the importance of secure key management practices in cloud-connected management platforms.
Fortinet's advisory provides no evidence of active exploitation in the wild as of the publication date. However, the disclosure of the hardcoded key itself means that any attacker who has already obtained a database dump—or who can obtain one through separate means—can now decrypt it. Organizations that have experienced a prior breach or backup exposure should treat the dump as compromised and rotate any secrets stored within.
The key takeaway for security teams is twofold: first, upgrade FortiClientEMS to version 7.4.6 or later to eliminate the static key; second, review database backup and retention practices, ensuring that encrypted backups are stored with access controls that prevent unauthorized retrieval even if the encryption is weak.