CVE-2024-36507
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Fortinet FortiClient for Windows where an attacker can place a malicious DLL in a location that FortiClient searches before legitimate system directories. When FortiClient loads the DLL, the attacker's code executes with the privileges of the FortiClient process. This affects all users running vulnerable versions of FortiClient on Windows systems.
💻 Affected Systems
- Fortinet FortiClient
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full system control by executing arbitrary code with SYSTEM or administrative privileges, potentially leading to complete network compromise, data exfiltration, ransomware deployment, or persistent backdoor installation.
Likely Case
An attacker with local access or ability to place files via social engineering executes malicious code with user-level privileges, enabling credential theft, lateral movement, or installation of additional malware.
If Mitigated
With proper controls like application whitelisting and least privilege, exploitation would be limited to user-level access without ability to escalate or move laterally.
🎯 Exploit Status
Requires social engineering to trick user into placing malicious DLL or local access to plant DLL. Not remotely exploitable without user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1, 7.2.5, 7.0.13
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-205
Restart Required: Yes
Instructions:
1. Download latest FortiClient version from Fortinet support portal. 2. Run installer with administrative privileges. 3. Restart system after installation completes. 4. Verify version matches patched release.
🔧 Temporary Workarounds
Application Control Policies
windowsImplement application whitelisting to prevent execution of unauthorized DLLs from untrusted locations.
Configure via Windows AppLocker or third-party application control solution
Restrict DLL Search Path
windowsUse Windows policies to restrict DLL search order and prevent loading from current directory.
Set registry key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode = 1
🧯 If You Can't Patch
- Implement strict application control policies to block execution of unauthorized DLLs
- Remove local administrative privileges from standard users to limit impact
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version in About dialog or via 'FortiClient.exe --version' command. If version is 7.4.0, 7.2.0-7.2.4, or 7.0.0-7.0.12, system is vulnerable.Check Version:
FortiClient.exe --versionVerify Fix Applied:
Verify FortiClient version is 7.4.1, 7.2.5, or 7.0.13 or higher. Check that no unauthorized DLLs exist in FortiClient installation directory.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- FortiClient logs showing abnormal process behavior
Network Indicators:
- Unusual outbound connections from FortiClient process
- DNS queries to suspicious domains
SIEM Query:
Process Creation where (Image contains 'forticlient' OR ParentImage contains 'forticlient') AND CommandLine contains '.dll'