CVE-2022-42470
📋 TL;DR
This CVE describes a relative path traversal vulnerability in Fortinet FortiClient for Windows that allows attackers to execute arbitrary code or commands by sending crafted requests to a specific named pipe. It affects FortiClient versions 7.0.0-7.0.7, 6.4.0-6.4.9, 6.2.0-6.2.9, and 6.0.0-6.0.10 on Windows systems.
💻 Affected Systems
- Fortinet FortiClient
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, enabling complete control over the affected endpoint, data exfiltration, and lateral movement within the network.
Likely Case
Local privilege escalation allowing attackers to execute arbitrary code with elevated privileges, potentially leading to persistence mechanisms, credential theft, or deployment of additional malware.
If Mitigated
Limited impact with proper network segmentation, endpoint protection, and least privilege principles in place, potentially containing the attack to a single endpoint.
🎯 Exploit Status
Exploitation requires access to the named pipe, which typically requires some level of local access or network positioning. The vulnerability is in the path validation logic when processing requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiClient 7.0.8, 6.4.10, 6.2.10, 6.0.11 and later
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-320
Restart Required: Yes
Instructions:
1. Download the latest FortiClient version from the official Fortinet support portal. 2. Uninstall the current vulnerable version. 3. Install the patched version. 4. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Restrict Named Pipe Access
windowsConfigure Windows security policies to restrict access to the vulnerable named pipe to only authorized users and processes.
Use Windows Security Policy or PowerShell to modify named pipe permissions: Set-SmbClientConfiguration -RequireSecuritySignature $true
Network Segmentation
allImplement network segmentation to limit access to endpoints running FortiClient, reducing attack surface.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical assets
- Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts and anomalous behavior
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version in the application's About section or via Windows Programs and Features. If version falls within affected ranges, the system is vulnerable.Check Version:
wmic product where "name like 'FortiClient%'" get versionVerify Fix Applied:
Verify FortiClient version is 7.0.8+, 6.4.10+, 6.2.10+, or 6.0.11+ and monitor for any unusual named pipe activity.📡 Detection & Monitoring
Log Indicators:
- Unusual named pipe access attempts in Windows Event Logs (Event ID 4656)
- FortiClient process spawning unexpected child processes
- Failed or successful exploitation attempts in FortiClient logs
Network Indicators:
- Unusual SMB/named pipe traffic to FortiClient endpoints
- Anomalous network connections originating from FortiClient processes
SIEM Query:
source="windows" AND (event_id=4656 OR process_name="FortiClient.exe") AND (target_object="\\.\pipe\FortiClient*" OR command_line CONTAINS "pipe")