Main Vulnerability Database Vulnerabilities #VU100575

Unprotected storage of credentials in Fortinet FortiClient for Windows - #VU100575

Published: November 18, 2024

Vulnerability identifier: #VU100575

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: N/A

CWE-ID: CWE-256

Exploitation vector: Local access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Fortinet, Inc

Affected software:
Fortinet FortiClient for Windows

Detailed vulnerability description

The vulnerability allows a local user to gain access to VPN client credentials.

The vulnerability exists due to application stores user's VPN credentials in plain text in memory after establishing the VPN connection. A local user or a malicious application can retrieve these credentials from the process memory and use them later to connect to the Fortinet VPN server.

Note, the vulnerability is being actively exploited in the wild by the DEEPDATA malware.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/

Unprotected storage of credentials in Fortinet FortiClient for Windows - #VU100575

Detailed vulnerability description

Remediation

Sources

Please verify you're human