Fortinet FortiOS LDAP Credential Decryption Vulnerability

A vulnerability in Fortinet FortiOS versions through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files. This issue arises because the encryption key is static and identical across all customer installations, leading to unauthorized access to sensitive information. The vulnerability has been actively exploited since December 16, 2025.

Impact

Exploitation of this vulnerability allows for the unauthorized decryption of LDAP connection passwords, which FortiGate appliances use to authenticate with LDAP servers. This could lead to unauthorized access or manipulation of resources within the LDAP directory.

Reproduction

The vulnerability can be reproduced by accessing the FortiGate device's configuration files, which contain LDAP credentials encrypted with a default key. This key can be used to decrypt the passwords, particularly for devices running FortiOS 7.6.5.

Remediation

Fortinet recommends enabling the 'private-data-encryption' feature on FortiGate devices, which replaces the default encryption key with a custom one. This step is crucial for protecting sensitive credentials and is officially advised as a hardening measure.