CVE-2025-57716
📋 TL;DR
This vulnerability allows a local low-privileged user on Windows systems to perform DLL hijacking attacks by placing malicious DLLs in the FortiClient Online Installer installation folder. It affects FortiClient Windows versions 7.4.0-7.4.3, 7.2.0-7.2.11, and all 7.0 versions. Attackers could execute arbitrary code with the privileges of the FortiClient process.
💻 Affected Systems
- FortiClient for Windows
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation to SYSTEM or administrator privileges, enabling persistence, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to gain higher privileges on the compromised system, potentially installing malware or accessing sensitive data.
If Mitigated
Limited impact with proper endpoint protection, application whitelisting, and user privilege restrictions preventing DLL placement.
🎯 Exploit Status
Requires local access and ability to write to FortiClient installation directory. DLL hijacking is a well-known technique with available tooling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to FortiClient 7.4.4 or later, or 7.2.12 or later. 7.0.x users must upgrade to supported versions.
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-685
Restart Required: No
Instructions:
1. Download latest FortiClient version from Fortinet support portal. 2. Run installer with administrative privileges. 3. Follow installation wizard. 4. Verify version after installation.
🔧 Temporary Workarounds
Restrict write permissions to FortiClient directory
WindowsRemove write permissions for non-administrative users to the FortiClient Online Installer installation folder to prevent DLL placement.
icacls "C:\Program Files\Fortinet\FortiClient" /deny Users:(OI)(CI)W
Enable application control/whitelisting
allConfigure endpoint protection to block execution of unauthorized DLLs from the FortiClient directory.
🧯 If You Can't Patch
- Implement least privilege principle - ensure users don't have write access to program directories
- Monitor for suspicious DLL creation/modification in FortiClient directories using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check FortiClient version in Help > About or via command: wmic product where "name like 'FortiClient%'" get versionCheck Version:
wmic product where "name like 'FortiClient%'" get versionVerify Fix Applied:
Confirm version is 7.4.4+, 7.2.12+, or any version outside affected ranges. Verify no unauthorized DLLs exist in FortiClient directories.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from FortiClient directory by non-standard processes
- File creation events for DLLs in FortiClient installation paths
Network Indicators:
- Unusual outbound connections from FortiClient process post-DLL loading
SIEM Query:
source="windows" (event_id=4688 OR event_id=4689) process_path="*FortiClient*" AND (dll_loaded="*FortiClient*" OR command_line="*dll*"))