FORTINET Security Advisory
Published Date: May 12, 2026
Advisory Summary
Fortinet has disclosed a security issue impacting FortiClient for Windows, involving a Missing Authorization vulnerability classified as CWE-862. This flaw permits an authenticated local attacker to decrypt VPN passwords currently saved on the device by exploiting an unprotected DLL function. The vulnerability carries a CVSSv3 score of 2.1, indicating a low severity but a clear risk to credential confidentiality if an attacker gains local access.
While the risk level is relatively low, the exposure of VPN credentials through this vector could lead to further compromise of user sessions and sensitive network resources. IT infrastructure teams should evaluate FortiClient deployments for this vulnerability and apply any recommended security patches or updates provided by Fortinet promptly.
- Affects FortiClient Windows VPN password storage
- Local authenticated attacker can decrypt passwords
- Vulnerability due to missing authorization checks on DLL functions
- CVSSv3 score: 2.1 (Low severity)
- Importance of patching to prevent credential leakage
Fortinet’s prompt disclosure helps infrastructure professionals mitigate risks related to VPN endpoint security, emphasizing continuous attention on endpoint software update management.
-862
Reference: Vendor Advisory