Fortinet FortiClient Uncontrolled Search Path Element Vulnerability Allowing DLL Hijacking

A vulnerability allowing DLL hijacking has been identified in Fortinet FortiClient for Windows, specifically in versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.11, and all versions of 7.0. This uncontrolled search path element vulnerability (CWE-427) could enable a local user with low privileges to place a malicious DLL in the FortiClient Online Installer installation folder, potentially leading to unauthorized code execution.

Impact

Exploitation of this vulnerability could allow a local low privileged user to execute unauthorized code or commands by placing a malicious DLL in the FortiClient Online Installer installation folder, where it could be loaded by the application.

Remediation

Users can upgrade FortiClient to version 7.4.4 or above if they are on the 7.4 branch, or to version 7.2.12 or above if they are on the 7.2 branch. For users on FortiClient Windows 7.0, migrating to a fixed release is recommended. As a workaround, ensure that all executables are downloaded directly from Fortinet and run the FortiClient installation from a folder that regular users cannot write to.