Vulnerability details
Advisory: SB2024111813 - Unprotected storage of credentials in FortiClient for Windows
Vulnerable component: Fortinet FortiClient for Windows
CVE-ID:
CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:U/RC:C
CWE-ID: CWE-256 - Unprotected Storage of Credentials
Description:
The vulnerability allows a local user to gain access to VPN client credentials.
The vulnerability exists due to application stores user's VPN credentials in plain text in memory after establishing the VPN connection. A local user or a malicious application can retrieve these credentials from the process memory and use them later to connect to the Fortinet VPN server.
Note, the vulnerability is being actively exploited in the wild by the DEEPDATA malware.
External links:
https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/