CVE-2026-25815

LOW EXPLOITED

Fortinet FortiOS <7.6.6 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2026-25815 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option.

References (2)

Core 2

Core References

Various Sources

https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption

Various Sources

https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords

Scores

CVSS v3 3.2

EPSS 0.0000

EPSS Percentile 0.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2026-02-05

CWE

CWE-1394

Status published

Products (1)

Fortinet/FortiOS < 7.6.6

Published Feb 05, 2026

Tracked Since Feb 18, 2026