CVE-2025-54660 is an information disclosure vulnerability found in Fortinet's FortiClientWindows software versions 7.0.0, 7.2.0 through 7.2.10, and 7.4.0 through 7.4.3. The root cause is the presence of active debug code within the application that can be leveraged by a local attacker to perform step-by-step execution (debugging) of the FortiClientWindows process. This debugging capability enables the attacker to access sensitive information stored in memory during runtime, specifically the saved VPN user passwords. The vulnerability requires the attacker to have local access with low privileges (PR:L) but does not require user interaction (UI:N). The CVSS 3.1 base score is 4.9, reflecting a medium severity rating primarily due to the requirement for local privileges and the limited scope of impact. The vulnerability affects confidentiality (C:H) but does not impact integrity or availability. The exploitability is partially mitigated by the need for local access and privileges, but the presence of debug code in production software is a significant security oversight. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. This vulnerability poses a risk of credential theft, which could lead to unauthorized VPN access and potential lateral movement within affected networks.

For European organizations, this vulnerability could lead to unauthorized disclosure of VPN credentials if an attacker gains local access to endpoints running vulnerable FortiClientWindows versions. This exposure threatens the confidentiality of VPN credentials, potentially allowing attackers to bypass network perimeter defenses and gain remote access to corporate networks. Such unauthorized access could facilitate further attacks, including data exfiltration, espionage, or disruption of services. Organizations with remote workforces or those relying heavily on Fortinet VPN solutions are particularly at risk. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and government, where VPN credentials often provide access to sensitive or regulated data. Although exploitation requires local access, insider threats or attackers who have compromised endpoint devices could leverage this vulnerability to escalate their access. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as threat actors may develop exploits once the vulnerability becomes widely known.

European organizations should immediately audit their FortiClientWindows deployments to identify affected versions (7.0.0, 7.2.0-7.2.10, 7.4.0-7.4.3). Since no official patches are currently listed, organizations should contact Fortinet support for guidance and monitor for forthcoming updates. In the interim, restrict local access to endpoints running FortiClientWindows by enforcing strict endpoint security controls, including limiting user privileges, employing application whitelisting, and using endpoint detection and response (EDR) solutions to detect suspicious debugging or process manipulation activities. Disable or remove any debug features or developer tools on production systems if possible. Implement strong physical security controls to prevent unauthorized local access. Additionally, enforce multi-factor authentication (MFA) on VPN access to mitigate the risk of credential compromise. Regularly rotate VPN credentials and monitor VPN logs for anomalous access patterns. Educate users about the risks of local credential exposure and the importance of endpoint security hygiene.