Login Sign Up

CVE-2024-36513

8.2 HIGH

📋 TL;DR

This vulnerability in FortiClient for Windows allows authenticated users to escalate privileges through Lua auto patch scripts. It affects FortiClient Windows versions 7.2.4 and below, 7.0.12 and below, and all 6.4 versions. Attackers with local access can gain SYSTEM-level privileges.

💻 Affected Systems

Products:
  • FortiClient for Windows
Versions: 7.2.4 and below, 7.0.12 and below, all 6.4 versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows versions of FortiClient. Requires authenticated user access.

📦 What is this software?

Forticlient by Fortinet

View all CVEs affecting Forticlient →

Forticlient by Fortinet

View all CVEs affecting Forticlient →

Forticlient by Fortinet

View all CVEs affecting Forticlient →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains SYSTEM privileges, enabling complete system compromise, installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Malicious insider or compromised user account escalates to SYSTEM privileges to install backdoors, disable security controls, or access sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated systems with rapid detection and containment.

🌐 Internet-Facing: LOW - Exploitation requires local authenticated access, not remote.
🏢 Internal Only: HIGH - Any authenticated user on affected Windows systems can potentially exploit this.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but appears straightforward based on vulnerability description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiClient 7.2.5, 7.0.13, and later versions

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-144

Restart Required: Yes

Instructions:

1. Download latest FortiClient version from Fortinet support portal. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict Lua script execution

windows

Disable or restrict Lua auto patch script functionality if not required

Limit local user privileges

windows

Implement least privilege access controls to reduce attack surface

🧯 If You Can't Patch

  • Implement strict access controls to limit who can log into affected systems
  • Enable detailed logging and monitoring for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check FortiClient version via: Control Panel > Programs > Programs and Features, or run 'wmic product get name,version' in command prompt

Check Version:

wmic product where "name like '%FortiClient%'" get name,version

Verify Fix Applied:

Verify installed version is 7.2.5+, 7.0.13+, or not 6.4.x

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • Lua script execution in FortiClient logs
  • SYSTEM account activity from non-admin users

Network Indicators:

  • Unusual outbound connections from affected systems post-exploit

SIEM Query:

EventID=4688 AND ProcessName LIKE '%forticlient%' AND NewProcessName LIKE '%cmd%' OR '%powershell%'

📊 Metadata

CVE ID: CVE-2024-36513
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-270
Published: November 12, 2024
Last Updated: November 14, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36513, you might also want to check these:

CVE-2023-37912 9.9

This vulnerability in XWiki's footnote macro allows privilege escalation from a standard user accoun...

Same vulnerability type (CWE-270)
CVE-2023-25754 9.8

CVE-2023-25754 is a privilege context switching error in Apache Airflow that allows authenticated us...

Same vulnerability type (CWE-270)
CVE-2024-11263 9.3

This vulnerability in RISC-V systems with Global Pointer relative addressing enabled allows attacker...

Same vulnerability type (CWE-270)