CVE-2022-26113
📋 TL;DR
This vulnerability in FortiClient for Windows allows a local attacker to write arbitrary files to the system due to unnecessary privileges. It affects FortiClient versions 7.0.0-7.0.3, 6.4.0-6.4.7, 6.2.0-6.2.9, and 6.0.0-6.0.10. Attackers must have local access to exploit this privilege escalation flaw.
💻 Affected Systems
- FortiClient for Windows
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker could write malicious files to system directories, potentially leading to full system compromise, persistence mechanisms, or disabling security controls.
Likely Case
Local privilege escalation allowing attackers to modify system files, install malware, or tamper with security configurations.
If Mitigated
Limited impact if proper access controls and least privilege principles are enforced, though local file writes could still occur.
🎯 Exploit Status
Exploitation requires local access but appears to be straightforward based on the vulnerability description. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions 7.0.4, 6.4.8, 6.2.10, and 6.0.11
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-044
Restart Required: Yes
Instructions:
1. Download the latest FortiClient version from the official Fortinet support portal. 2. Uninstall the current vulnerable version. 3. Install the patched version (7.0.4, 6.4.8, 6.2.10, or 6.0.11). 4. Restart the system to complete the installation.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local access to systems running FortiClient to only authorized users
Apply Least Privilege
windowsEnsure users have minimal necessary privileges to reduce impact if exploited
🧯 If You Can't Patch
- Monitor for suspicious file write activities in system directories
- Implement application whitelisting to prevent unauthorized executables from running
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version in the application interface or via 'wmic product get name,version' command and compare against affected versions.Check Version:
wmic product where "name like 'FortiClient%'" get name,versionVerify Fix Applied:
Verify FortiClient version is 7.0.4, 6.4.8, 6.2.10, or 6.0.11 or higher in the application interface.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in system directories
- FortiClient service or process anomalies
- Privilege escalation attempts
Network Indicators:
- None - this is a local attack
SIEM Query:
EventID=4663 OR EventID=4656 with TargetObject containing system directories and ProcessName containing FortiClient