CVE-2024-52968
📋 TL;DR
This vulnerability allows attackers to bypass authentication on macOS systems running vulnerable FortiClient versions by using an empty password. It affects all macOS users running FortiClientMac 7.0.11 through 7.2.4. The improper authentication flaw enables unauthorized access to the system.
💻 Affected Systems
- Fortinet FortiClientMac
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary code, access sensitive data, and establish persistence on the macOS system.
Likely Case
Unauthorized access to the macOS system with user-level privileges, potentially leading to data theft, credential harvesting, or lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation and endpoint protection, though authentication bypass remains possible on vulnerable endpoints.
🎯 Exploit Status
Exploitation requires local access to the macOS system but uses empty password authentication bypass, making it trivial to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.5 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-300
Restart Required: Yes
Instructions:
1. Download FortiClientMac version 7.2.5 or later from Fortinet support portal. 2. Install the update following standard macOS installation procedures. 3. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Disable FortiClient temporarily
linuxTemporarily disable FortiClient to prevent exploitation while planning upgrade
sudo launchctl unload /Library/LaunchDaemons/com.fortinet.forticlient.daemon.plist
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable macOS systems
- Enable multi-factor authentication and monitor for authentication anomalies
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version in About section of FortiClient application or run: defaults read /Applications/FortiClient.app/Contents/Info.plist CFBundleShortVersionStringCheck Version:
defaults read /Applications/FortiClient.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Verify installed version is 7.2.5 or later using the same command and ensure authentication prompts for valid password📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with empty passwords
- Unexpected successful logins without password entry
- FortiClient authentication bypass events
Network Indicators:
- Unusual authentication traffic patterns from macOS endpoints
- Authentication requests with empty credential fields
SIEM Query:
source="forticlient" AND (event_type="authentication" AND password="") OR (auth_result="success" AND password_length=0)