PSIRT Advisories

FortiOS - Hardcoded SSLVPN cookie encryption key


A use of hard-coded cryptographic key vulnerability [CWE 321] in FortiOS SSLVPN may allow an attacker to retrieve the key by reverse engineering.

Affected Products

Only when SSLVPN is enabled:

FortiOS 6.4.5 and below.
FortiOS 6.2.8 and below.
FortiOS 6.0.12 and below.
FortiOS 5.6.13 and below.

FortiOS-6K7K version 6.4.2.
FortiOS-6K7K version 6.2.6 and below.


Upgrade to FortiOS 7.0.0 or above.
Upgrade to FortiOS 6.4.6 or above.
Upgrade to FortiOS 6.2.10 or above.
Upgrade to FortiOS 6.0.13 or above.
Upgrade to FortiOS 5.6.14 or above.

Upgrade to FortiOS-6K7K version 6.2.7 or above.

For new high-end F-Series Models (FG-1800F, FG-3800F, FG-4200F, FG-4400F) please upgrade to 6.2.9