CVE-2020-9287
📋 TL;DR
This vulnerability allows a local attacker to execute arbitrary code on systems running vulnerable versions of FortiClient EMS online installer. By placing malicious DLL files in the same directory as the installer executable, an attacker can trick the application into loading their code instead of legitimate libraries. This affects FortiClient EMS online installer version 6.2.1 and earlier.
💻 Affected Systems
- FortiClient EMS online installer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, or ransomware deployment.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive data and system resources controlled by the FortiClient EMS service.
If Mitigated
Limited impact with proper access controls preventing unauthorized users from writing to installer directories.
🎯 Exploit Status
Exploitation requires local access and ability to place files in the installer directory. DLL hijacking is a well-known technique with established attack patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.2 or later
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-19-060
Restart Required: Yes
Instructions:
1. Download FortiClient EMS online installer version 6.2.2 or later from Fortinet support portal. 2. Run the installer to upgrade existing installation. 3. Restart the system to ensure all components are properly loaded.
🔧 Temporary Workarounds
Restrict directory permissions
windowsSet strict access controls on directories containing FortiClientEMSOnlineInstaller.exe to prevent unauthorized users from writing files.
icacls "C:\Path\To\Installer\Directory" /deny Users:(OI)(CI)W
Use secure installation locations
windowsInstall FortiClient EMS in protected directories like Program Files with proper ACLs.
🧯 If You Can't Patch
- Remove local user write permissions from directories containing FortiClientEMSOnlineInstaller.exe
- Monitor for unauthorized DLL files in installer directories using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check the version of FortiClientEMSOnlineInstaller.exe by right-clicking the file, selecting Properties, and checking the Details tab for version information.Check Version:
wmic datafile where name="C:\\Path\\To\\FortiClientEMSOnlineInstaller.exe" get versionVerify Fix Applied:
Verify the installer version is 6.2.2 or higher and check that directory permissions restrict write access to non-administrative users.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loading events in Windows Event Logs (Security/System)
- File creation events for DLL files in installer directories
Network Indicators:
- Unusual outbound connections from FortiClient EMS processes following DLL loading
SIEM Query:
source="windows" AND (event_id=4663 OR event_id=4656) AND object_name="*.dll" AND process_name="FortiClientEMSOnlineInstaller.exe"