CVE-2026-25815
Unknown Unknown - Not Provided
LDAP Credential Decryption in Fortinet FortiOS Configuration Files

Publication date: 2026-02-05

Last updated on: 2026-02-05

Assigner: MITRE

Description
Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25815
EUVD
EUVD-2026-5525
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fortinet fortios to 7.6.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1394 The product uses a default cryptographic key for potentially critical functionality.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Fortinet FortiOS versions up to 7.6.6 and allows attackers to decrypt LDAP credentials stored in device configuration files. The issue arises because the encryption key used to protect these credentials is the same across all customer installations by default. Although there is a non-default option to enable stronger encryption, it is not enabled by default due to potential disruptions in functionality.

Impact Analysis

An attacker who exploits this vulnerability can decrypt LDAP credentials stored in the device configuration files. This could lead to unauthorized access to LDAP services, potentially exposing sensitive authentication information. Since the encryption key is shared across installations by default, multiple customers could be affected if an attacker obtains the key.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability arises because Fortinet FortiOS through version 7.6.6 uses the same encryption key across all customers by default to encrypt LDAP credentials in device configuration files.

To mitigate this vulnerability, customers should enable the non-default option that eliminates this weakness by using private data encryption with a unique key per installation.

However, enabling this option may disrupt functionality as noted in Fortinet's documentation on managing FortiGates with private data encryption.

Therefore, the immediate step is to evaluate enabling this non-default private data encryption option despite potential disruptions, to prevent attackers from decrypting LDAP credentials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart