A high-severity vulnerability has been identified in multiple Fortinet products, including specific versions of FortiClient for Windows. This flaw allows a local user with basic privileges to exploit the software and gain full administrative control over the system. Successful exploitation could lead to a complete system compromise, enabling an attacker to steal data, install malware, or disable security controls.

The vulnerability is an Exposed IOCTL with Insufficient Access Control (CWE-782). The FortiClient Windows driver exposes an Input/Output Control (IOCTL) interface that can be accessed by low-privileged local users. Due to insufficient access control checks, an authenticated attacker can send specially crafted IOCTL requests to the driver, leading to arbitrary code execution with kernel-level privileges. This effectively allows an attacker to escalate their privileges from a standard user to NT AUTHORITY\SYSTEM, gaining complete control over the endpoint.

This vulnerability is rated as High severity with a CVSS score of 7.8. A successful exploit would allow a low-privileged user, or malware already on the system, to gain full administrative control. This could lead to severe business consequences, including the theft and exfiltration of sensitive corporate data, deployment of ransomware, disruption of critical business operations, and the ability for an attacker to pivot and move laterally across the network. The compromise of a security product like FortiClient undermines the endpoint's entire security posture.

Immediate Action: Identify all endpoints running the vulnerable versions of Fortinet software and apply the security updates provided by the vendor immediately. Prioritize patching for critical systems and users with access to sensitive information. After patching, monitor for any signs of exploitation attempts by reviewing access logs and system events for anomalous activity.

Proactive Monitoring: Implement enhanced monitoring on endpoints. Look for unusual process behavior originating from FortiClient services, unexpected driver loads, or crashes in the Windows System event logs. Utilize Endpoint Detection and Response (EDR) solutions to detect suspicious API calls or memory manipulation attempts targeting the vulnerable driver.

Compensating Controls: If immediate patching is not feasible, enforce the principle of least privilege to limit user account capabilities. Use application control or whitelisting to prevent unauthorized executables from running. Isolate critical systems and enhance network segmentation to limit the potential for lateral movement from a compromised endpoint.

Public Exploit Available: false

Given the high severity (CVSS 7.8) and the potential for complete system compromise, this vulnerability poses a significant risk to the organization. We strongly recommend that all affected Fortinet products are patched on an emergency basis. While this vulnerability is not currently on the CISA KEV catalog, its nature as a privilege escalation flaw in a popular security product makes it a prime candidate for future exploitation. Organizations must act swiftly to apply vendor patches and implement proactive monitoring to mitigate the risk of endpoint compromise.