Zero-day vulnerability in Fortinet FortiClient for Windows

Unprotected storage of credentials

Not patched

Vulnerability details

Advisory: SB2024111813 - Unprotected storage of credentials in FortiClient for Windows

Vulnerable component: Fortinet FortiClient for Windows

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:U/RC:C

CWE-ID: CWE-256 - Unprotected Storage of Credentials

Description:

The vulnerability allows a local user to gain access to VPN client credentials.

The vulnerability exists due to application stores user's VPN credentials in plain text in memory after establishing the VPN connection. A local user or a malicious application can retrieve these credentials from the process memory and use them later to connect to the Fortinet VPN server.

Note, the vulnerability is being actively exploited in the wild by the DEEPDATA malware.

External links:

https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/