CVE-2021-43066
📋 TL;DR
This vulnerability in Fortinet FortiClient for Windows allows attackers to escalate privileges via the MSI installer by controlling file names or paths. It affects users running vulnerable versions of FortiClient on Windows systems. Successful exploitation could give attackers administrative access to the system.
💻 Affected Systems
- Fortinet FortiClient for Windows
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full SYSTEM/administrator privileges on the Windows host, enabling complete system compromise, persistence, and lateral movement.
Likely Case
Local authenticated user or malware with initial access escalates to administrator privileges to install additional malware, disable security controls, or access sensitive data.
If Mitigated
With proper privilege separation and least privilege principles, impact is limited to the user context, preventing full system compromise.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is in the installer, suggesting exploitation may involve tricking the installer or modifying installation parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiClient 7.0.3, 6.4.7, 6.2.10, 6.0.11 and later
Vendor Advisory: https://fortiguard.com/advisory/FG-IR-21-154
Restart Required: Yes
Instructions:
1. Download the latest FortiClient version from the official Fortinet portal. 2. Uninstall the current vulnerable version. 3. Install the patched version. 4. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Restrict installer permissions
windowsLimit who can run the FortiClient installer and modify installation directories
Use Group Policy to restrict MSI installer execution to administrators only
Implement least privilege
windowsEnsure users operate with minimal necessary privileges to reduce impact
Configure User Account Control (UAC) to highest setting
Use standard user accounts instead of administrator accounts
🧯 If You Can't Patch
- Remove FortiClient from systems where it's not essential for business operations
- Implement strict access controls and monitoring on systems with vulnerable FortiClient versions
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version in the application's About section or via 'wmic product get name,version' commandCheck Version:
wmic product where "name like 'FortiClient%'" get name,versionVerify Fix Applied:
Verify installed FortiClient version is 7.0.3+, 6.4.7+, 6.2.10+, or 6.0.11+📡 Detection & Monitoring
Log Indicators:
- Unusual MSI installer activity in Windows Event Logs (Event ID 11707, 11724)
- FortiClient installation or repair attempts from non-standard users
Network Indicators:
- Unusual outbound connections from FortiClient processes post-installation
SIEM Query:
source="windows" AND (event_id=11707 OR event_id=11724) AND process_name="msiexec.exe" AND command_line LIKE "%FortiClient%"