CVE-2020-9292
📋 TL;DR
This CVE describes an unquoted service path vulnerability in FortiSIEM Windows Agent that allows local attackers to gain elevated SYSTEM privileges by placing a malicious executable in a path that gets executed before the legitimate service. It affects organizations using FortiSIEM Windows Agent on Windows systems.
💻 Affected Systems
- FortiSIEM Windows Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege escalation leading to complete host compromise, lateral movement, and potential domain takeover.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, and access sensitive data.
If Mitigated
Limited impact if proper access controls prevent local users from writing to system directories.
🎯 Exploit Status
Exploitation requires local access to the Windows system. The vulnerability is well-documented and relatively easy to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiSIEM Windows Agent version 4.9.1 and above
Vendor Advisory: https://fortiguard.com/advisory/FG-IR-20-021
Restart Required: Yes
Instructions:
1. Download FortiSIEM Windows Agent version 4.9.1 or later from Fortinet support portal. 2. Install the updated agent on affected Windows systems. 3. Restart the system or FortiSIEM service.
🔧 Temporary Workarounds
Manual service path quoting
windowsManually quote the service path in Windows Registry to prevent path interception
reg add "HKLM\SYSTEM\CurrentControlSet\Services\AoWinAgt" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Fortinet\FortiSIEM\AoWinAgt.exe\"" /f
Restrict directory permissions
windowsSet strict ACLs on system directories to prevent unauthorized file creation
icacls "C:\Program Files\Fortinet\FortiSIEM" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from writing to system directories
- Monitor for unauthorized file creation in FortiSIEM installation directories
🔍 How to Verify
Check if Vulnerable:
Check Windows Registry: reg query "HKLM\SYSTEM\CurrentControlSet\Services\AoWinAgt" /v ImagePath - if the path is not quoted and contains spaces, the system is vulnerable.Check Version:
Check FortiSIEM Agent version in Windows Programs and Features or run: wmic product where "name like 'FortiSIEM%'" get versionVerify Fix Applied:
Verify the service path is quoted in Registry and FortiSIEM Agent version is 4.9.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 for unexpected process execution from FortiSIEM directories
- Unexpected file creation in C:\Program Files\Fortinet\FortiSIEM\
Network Indicators:
- Unusual outbound connections from FortiSIEM Agent service
SIEM Query:
source="windows" AND (event_id=4688 AND (process_path="*FortiSIEM*" OR parent_process_path="*FortiSIEM*"))