CVE-2024-54019
📋 TL;DR
This vulnerability in Fortinet FortiClient for Windows allows attackers to redirect VPN connections through DNS spoofing or other redirection methods due to improper certificate hostname validation. Attackers can intercept or redirect VPN traffic, potentially leading to man-in-the-middle attacks. Affected users include organizations using vulnerable FortiClient versions for VPN connectivity.
💻 Affected Systems
- Fortinet FortiClient for Windows
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept all VPN traffic, steal credentials, inject malware, and access internal network resources as authenticated users.
Likely Case
Targeted attacks redirect specific users to malicious VPN endpoints, enabling credential theft and limited network access.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential credential exposure for redirected users.
🎯 Exploit Status
Requires ability to manipulate DNS or network routing. No authentication needed to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1, 7.2.7, and later versions
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-365
Restart Required: Yes
Instructions:
1. Download latest FortiClient version from Fortinet support portal. 2. Install update on all affected Windows endpoints. 3. Restart systems to apply changes. 4. Verify version is updated to 7.4.1, 7.2.7 or later.
🔧 Temporary Workarounds
DNS Security Controls
allImplement DNSSEC, DNS filtering, and monitor for DNS spoofing attempts
Network Segmentation
allIsolate VPN traffic and implement strict network access controls
🧯 If You Can't Patch
- Monitor VPN connection logs for unusual endpoints or certificate mismatches
- Implement certificate pinning or additional VPN authentication factors
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version in About dialog or via command: FortiClient.exe --versionCheck Version:
FortiClient.exe --versionVerify Fix Applied:
Verify version is 7.4.1, 7.2.7 or later. Test VPN connections with invalid certificates to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- VPN connection failures due to certificate errors
- Connections to unexpected VPN endpoints
- Multiple failed authentication attempts from same source
Network Indicators:
- DNS queries for VPN endpoints from unusual sources
- VPN traffic to non-standard IP addresses
- SSL/TLS certificate mismatches in VPN connections
SIEM Query:
source="forticlient" AND (event="vpn_connection_failed" OR certificate_error="hostname_mismatch")