FortiClient for Windows - Hardcoded credentials in vcm2.exe


A use of hard-coded credentials vulnerability [CWE-798] in FortiClient for Windows may allow an attacker to bypass system protections via the use of static credentials.

Version Affected Solution
FortiClientWindows 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiClientWindows 7.0 7.0.0 through 7.0.9 Upgrade to 7.0.10 or above


Fortinet is pleased to thank Hanafiah Muhamad from One NZ for reporting this vulnerability under responsible disclosure.


2023-11-06: Initial publication