Login Sign Up

CVE-2022-43946

7.5 HIGH

📋 TL;DR

This CVE describes two vulnerabilities in Fortinet FortiClient for Windows: an incorrect permission assignment (CWE-732) and a TOCTOU race condition (CWE-367). Attackers on the same file sharing network can exploit these to execute arbitrary commands via Windows pipes. Affected users are those running vulnerable FortiClient versions on Windows systems connected to file sharing networks.

💻 Affected Systems

Products:
  • Fortinet FortiClient for Windows
Versions: All versions before 7.0.7
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attackers to be on the same file sharing network as the vulnerable system.

📦 What is this software?

Forticlient by Fortinet

View all CVEs affecting Forticlient →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges and establishing persistence on the compromised machine.

🟠

Likely Case

Local privilege escalation allowing attackers to execute arbitrary commands with elevated privileges.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented.

🌐 Internet-Facing: LOW - Requires local network access via file sharing.
🏢 Internal Only: HIGH - Attackers on the same file sharing network can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local network access and knowledge of Windows pipe exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.7 and later

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-429

Restart Required: Yes

Instructions:

1. Download FortiClient version 7.0.7 or later from Fortinet support portal. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Disable unnecessary file sharing

windows

Reduce attack surface by disabling file sharing services that are not required for business operations.

net stop LanmanServer
sc config LanmanServer start= disabled

Implement network segmentation

all

Segment file sharing networks to limit potential attackers' access to vulnerable systems.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate file sharing networks
  • Apply principle of least privilege to all user accounts and service accounts

🔍 How to Verify

Check if Vulnerable:

Check FortiClient version in Settings > About. If version is below 7.0.7, the system is vulnerable.

Check Version:

wmic product where "name like 'FortiClient%'" get version

Verify Fix Applied:

Verify FortiClient version is 7.0.7 or higher in Settings > About after patching.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation events from FortiClient processes
  • Suspicious named pipe creation or access attempts

Network Indicators:

  • Unexpected SMB or file sharing traffic to FortiClient systems
  • Lateral movement attempts from file sharing segments

SIEM Query:

EventID=4688 AND (NewProcessName LIKE '%forticlient%' OR ParentProcessName LIKE '%forticlient%') AND CommandLine CONTAINS 'pipe'

📊 Metadata

CVE ID: CVE-2022-43946
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-732
Published: April 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43946, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)