Login Sign Up

CVE-2023-22635

7.3 HIGH

📋 TL;DR

This vulnerability in FortiClient for macOS allows local attackers to escalate privileges by modifying the installer during an upgrade process. It affects all versions of FortiClientMac from 4.0 through 7.0.7 due to missing integrity checks on downloaded code.

💻 Affected Systems

Products:
  • FortiClient for macOS
Versions: 4.0 all versions, 5.0 all versions, 5.2 all versions, 5.4 all versions, 5.6 all versions, 6.0 all versions, 6.2 all versions, 6.4 all versions, 7.0.0 through 7.0.7
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Requires local access to the system.

📦 What is this software?

Forticlient by Fortinet

View all CVEs affecting Forticlient →

Forticlient by Fortinet

View all CVEs affecting Forticlient →

Forticlient by Fortinet

View all CVEs affecting Forticlient →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges on the macOS system, enabling complete system compromise, data theft, and persistence.

🟠

Likely Case

Malicious local user or malware with user-level access escalates to administrative privileges to install additional malware or access sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated systems with quick detection and remediation.

🌐 Internet-Facing: LOW (requires local access to exploit)
🏢 Internal Only: HIGH (any local user or malware with user access can potentially exploit this)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access and ability to modify installer files during upgrade process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiClientMac 7.0.8 and later

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-481

Restart Required: Yes

Instructions:

1. Download FortiClientMac 7.0.8 or later from Fortinet support portal. 2. Uninstall current FortiClient. 3. Install the updated version. 4. Restart the system.

🔧 Temporary Workarounds

Disable automatic updates

macOS

Prevent automatic upgrades that could be intercepted and modified

sudo defaults write /Library/Preferences/com.fortinet.FortiClient AutoUpdate -bool false

Restrict local user privileges

macOS

Limit which users can modify system files and install software

🧯 If You Can't Patch

  • Implement strict access controls to limit local user privileges
  • Monitor for unauthorized privilege escalation attempts and installer modifications

🔍 How to Verify

Check if Vulnerable:

Check FortiClient version: Open FortiClient → About. If version is between 4.0-7.0.7, system is vulnerable.

Check Version:

defaults read /Applications/FortiClient.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

Verify FortiClient version is 7.0.8 or later. Check that integrity verification is enabled in settings.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized privilege escalation events
  • Modifications to FortiClient installer files
  • Unexpected process execution with elevated privileges

Network Indicators:

  • Unusual outbound connections during FortiClient updates

SIEM Query:

source="macos" AND (event="privilege_escalation" OR process="FortiClient" AND action="modify")

📊 Metadata

CVE ID: CVE-2023-22635
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-494
Published: April 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22635, you might also want to check these:

CVE-2020-1210 9.9

This is a critical remote code execution vulnerability in Microsoft SharePoint that allows attackers...

Same vulnerability type (CWE-494)
CVE-2020-1595 9.9

CVE-2020-1595 is a critical remote code execution vulnerability in Microsoft SharePoint where improp...

Same vulnerability type (CWE-494)
CVE-2025-40604 9.8

This critical vulnerability in SonicWall Email Security appliances allows attackers with access to v...

Same vulnerability type (CWE-494)