CVE-2018-9195

MEDIUM

FortiClient < 6.0.6 and < 6.2.1 - Use of Hard-coded Cryptographic Key in FortiGuard Services Communication

Title source: llm

Description

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages. Affected products include FortiClient for Windows 6.0.6 and below, FortiOS 6.0.7 and below, FortiClient for Mac OS 6.2.1 and below.

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://fortiguard.com/advisory/FG-IR-18-100

Scores

CVSS v3 5.9

EPSS 0.0030

EPSS Percentile 53.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-798

Status published

Products (3)

fortinet/forticlient < 6.0.6

fortinet/forticlient < 6.2.1

fortinet/fortios < 6.0.6

Published Nov 21, 2019

Tracked Since Feb 18, 2026