CVE-2024-40586
📋 TL;DR
This CVE describes an improper access control vulnerability in FortiClient for Windows that allows local users to escalate privileges via the FortiSSLVPNd service pipe. It affects FortiClient Windows versions 7.4.0, 7.2.6 and below, and 7.0.13 and below. The vulnerability enables attackers with local access to gain SYSTEM-level privileges on affected systems.
💻 Affected Systems
- FortiClient for Windows
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access gains SYSTEM privileges, enabling complete system compromise, installation of malware, credential theft, and persistence mechanisms.
Likely Case
Local users or malware with initial foothold escalate to SYSTEM privileges to bypass security controls, install additional payloads, or access protected resources.
If Mitigated
With proper access controls and least privilege principles, impact is limited to authorized local users only, preventing unauthorized privilege escalation.
🎯 Exploit Status
Requires local access to the system. Exploitation likely involves named pipe manipulation to the FortiSSLVPNd service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to FortiClient 7.4.1, 7.2.7, or 7.0.14
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-23-279
Restart Required: Yes
Instructions:
1. Download latest FortiClient version from Fortinet support portal. 2. Uninstall current FortiClient. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Disable FortiSSLVPNd Service
windowsStop and disable the vulnerable service if VPN functionality is not required
sc stop FortiSSLVPNd
sc config FortiSSLVPNd start= disabled
Restrict Named Pipe Access
windowsApply stricter ACLs to the FortiSSLVPNd named pipe
icacls \\.\pipe\FortiSSLVPNd /deny Everyone:(F)
🧯 If You Can't Patch
- Implement strict endpoint privilege management to limit local user privileges
- Monitor for suspicious named pipe access attempts and privilege escalation activities
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version via GUI (Help > About) or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\VersionCheck Version:
reg query "HKLM\SOFTWARE\Fortinet\FortiClient" /v VersionVerify Fix Applied:
Verify version is 7.4.1 or higher, 7.2.7 or higher, or 7.0.14 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual named pipe access to FortiSSLVPNd
- Privilege escalation events from non-admin users
- FortiClient service restart attempts
Network Indicators:
- Not applicable - local exploit only
SIEM Query:
EventID=4688 AND ProcessName LIKE '%FortiSSLVPNd%' AND CommandLine CONTAINS 'pipe'