PT-2021-6855 · Fortinet · Fortios

Published

2021-01-25

Updated

2021-12-09

CVE-2021-26108

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions FortiOS versions prior to 7.0.1

Description A use of hard-coded cryptographic key vulnerability in the SSLVPN of FortiOS may allow an attacker to retrieve the key by reverse engineering. This issue is related to the use of a hard-coded cryptographic key in the SSL-VPN portal of FortiOS, which can be exploited by a remote attacker to obtain the encryption key.

Recommendations For FortiOS versions prior to 7.0.1, update to version 7.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the SSLVPN portal until a patch is applied. Avoid using the SSLVPN portal for sensitive operations until the issue is resolved.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-321CWE-798

Related Identifiers

BDU:2022-02331

CVE-2021-26108

Affected Products

Fortios

PT-2021-6855 · Fortinet · Fortios

CVE-2021-26108

Weakness Enumeration

Related Identifiers

Affected Products

References · 11