Login Sign Up

CVE-2021-22127

7.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows an unauthenticated attacker to execute arbitrary code as root on Linux systems running vulnerable FortiClient versions by tricking a user into connecting to a maliciously named network. It affects FortiClient for Linux versions 6.4.x before 6.4.3 and 6.2.x before 6.2.9.

💻 Affected Systems

Products:
  • FortiClient for Linux
Versions: 6.4.x before 6.4.3, 6.2.x before 6.2.9
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Requires user to connect to a maliciously named network.

📦 What is this software?

Forticlient by Fortinet

View all CVEs affecting Forticlient →

Forticlient by Fortinet

View all CVEs affecting Forticlient →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation to root followed by credential harvesting, lateral movement, or malware installation.

🟢

If Mitigated

Limited impact if network segmentation prevents lateral movement and proper monitoring detects unusual root activity.

🌐 Internet-Facing: MEDIUM - Requires user interaction to connect to malicious network but could be combined with social engineering.
🏢 Internal Only: HIGH - Internal attackers could set up rogue access points or manipulate network names to exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires social engineering to trick user into connecting to malicious network. No authentication required once user connects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiClient for Linux 6.4.3 or 6.2.9

Vendor Advisory: https://fortiguard.com/advisory/FG-IR-20-241

Restart Required: Yes

Instructions:

1. Download latest FortiClient for Linux from Fortinet support portal. 2. Install update using package manager. 3. Restart system to ensure all components are updated.

🔧 Temporary Workarounds

Network Connection Restriction

linux

Restrict users from connecting to untrusted networks via policy or user education.

Privilege Reduction

linux

Run FortiClient with reduced privileges if possible (though this may limit functionality).

🧯 If You Can't Patch

  • Implement strict network access controls to prevent connections to untrusted networks.
  • Monitor for unusual root-level process execution from FortiClient components.

🔍 How to Verify

Check if Vulnerable:

Check FortiClient version: 'forticlient --version' or check installed package version.

Check Version:

forticlient --version

Verify Fix Applied:

Verify version is 6.4.3 or higher for 6.4.x branch, or 6.2.9 or higher for 6.2.x branch.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution as root from FortiClient components
  • Failed network connection attempts with suspicious names

Network Indicators:

  • Connections to networks with unusually long or malformed names
  • Rogue access points with crafted names

SIEM Query:

process.name='forticlient' AND user.name='root' AND process.cmdline contains unusual patterns

📊 Metadata

CVE ID: CVE-2021-22127
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: April 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22127, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)