Fortinet FortiClient

FortiClient Windows 7.x Improper Link Resolution CVE-2025-62676
CVE-2025-62676 6.4 - Medium - February 10, 2026

An Improper Link Resolution Before File Access ('Link Following') vulnerability [CWE-59] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.4, FortiClientWindows 7.2.0 through 7.2.12, FortiClientWindows 7.0 all versions may allow a local low-privilege attacker to perform an arbitrary file write with elevated permissions via crafted named pipe messages.

insecure temporary file

FortiClient Windows 7.4.0-7.4.3 Debug Code PrivEsc
CVE-2025-54660 4.9 - Medium - November 18, 2025

An active debug code vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.10, FortiClientWindows 7.0 all versions may allow a local attacker to run the application step by step and retrieve the saved VPN user password

Active Debug Code

FortiClient 7.2.0-7.4.3 Heap Overflow in fortips_74.sys (CWE122)
CVE-2025-46373 7.1 - High - November 18, 2025

A Heap-based Buffer Overflow vulnerability [CWE-122] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.8 may allow an authenticated local IPSec user to execute arbitrary code or commands via "fortips_74.sys". The attacker would need to bypass the Windows heap integrity protections

Heap-based Buffer Overflow

FortiClient Windows IOCTL Access Control Bypass 7.4.07.4.3 via fortips driver
CVE-2025-47761 7.1 - High - November 18, 2025

An Exposed IOCTL with Insufficient Access Control vulnerability [CWE-782] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.9 may allow an authenticated local user to execute unauthorized code via fortips driver. Success of the attack would require bypassing the Windows memory protections such as Heap integrity and HSP. In addition, it requires a valid and running VPN IPSec connection.

Exposed IOCTL with Insufficient Access Control

FortiClient MacOS Improper Sig Verif CVE202546774 7.4.2/7.2.9 Escalates Privs
CVE-2025-46774 6.8 - Medium - October 14, 2025

An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiClient MacOS installer version 7.4.2 and below, version 7.2.9 and below, 7.0 all versions may allow a local user to escalate their privileges via FortiClient related executables.

Improper Verification of Cryptographic Signature

FortiClientMac 7.2.1-7.4.3 Code Injection via Malicious Webpage
CVE-2025-31365 5.5 - Medium - October 14, 2025

An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientMac 7.4.0 through 7.4.3, 7.2.1 through 7.2.8 may allow an unauthenticated attacker to execute arbitrary code on the victim's host via tricking the user into visiting a malicious website.

Code Injection

FortiClient DLL Hijack via Uncontrolled Search Path v7.0-7.4.3
CVE-2025-57716 6 - Medium - October 14, 2025

An Uncontrolled Search Path Element vulnerability [CWE-427] in FortiClient Windows 7.4.0 through 7.4.3, 7.2.0 through 7.2.11, 7.0 all versions may allow a local low privileged user to perform a DLL hijacking attack via placing a malicious DLL to the FortiClient Online Installer installation folder.

DLL preloading

FortiClientMac 7.0-7.4.3 Local RCE via LaunchDaemon Hijack
CVE-2025-57741 7 - High - October 14, 2025

An Incorrect Permission Assignment for Critical Resource vulnerability [CWE-732] in FortiClientMac 7.4.0 through 7.4.3, 7.2.0 through 7.2.11, 7.0 all versions may allow a local attacker to run arbitrary code or commands via LaunchDaemon hijacking.

Incorrect Permission Assignment for Critical Resource

Fortinet FortiClient v7.4.0-7.2.6 DNS Spoofing CVE-2024-54019
CVE-2024-54019 6.5 - Medium - June 10, 2025

A improper validation of certificate with host mismatch in Fortinet FortiClientWindows version 7.4.0, versions 7.2.0 through 7.2.6, and 7.0 all versions allow an unauthorized attacker to redirect VPN connections via DNS spoofing or another form of redirection.

Improper Validation of Certificate with Host Mismatch

FortiClientEMS Pre-7.4.0 Improper Auth Vulnerability (CVE-2024-32119)
CVE-2024-32119 - June 10, 2025

An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests.

1390

Fortinet FortiClientEMS 7.4.x SSRF via crafted HTTP/HTTPS
CVE-2023-48786 - June 10, 2025

A server-side request forgery vulnerability [CWE-918] in Fortinet FortiClientEMS version 7.4.0 through 7.4.2 and before 7.2.6 may allow an authenticated attacker to perform internal requests via crafted HTTP or HTTPS requests.

SSRF

FortiClient Mac 7.0-7.4 Escalation via Improper Auth XPC
CVE-2025-25251 7.4 - High - May 28, 2025

An Incorrect Authorization vulnerability [CWE-863] in FortiClient Mac 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 may allow a local attacker to escalate privileges via crafted XPC messages.

AuthZ

Fortinet FortiClient Windows: Info Disclosure via Port 8053 (7.2.0-7.2.1)
CVE-2025-24473 4.8 - Medium - May 28, 2025

A exposure of sensitive system information to an unauthorized control sphere vulnerability in Fortinet FortiClientWindows 7.2.0 through 7.2.1, FortiClientWindows 7.0.13 through 7.0.14 may allow an unauthorized remote attacker to view application information via navigation to a hosted webpage, if Windows is configured to accept incoming connections to port 8053 (non-default setup)

Exposure of Sensitive System Information to an Unauthorized Control Sphere

FortiClient <=7.4.1 XSS via EMS admin messages
CVE-2025-22855 4.8 - Medium - April 08, 2025

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code.

XSS

FortiClientMac <=7.2.3 Local Path Control via /tmp Config (CWE-73)
CVE-2023-45588 7.8 - High - March 14, 2025

An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0.10 and below installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configuration file in /tmp before starting the installation process.

External Control of File Name or Path

FortiClient Win <v7.4 Improper Access via FortiSSLVPNd (CVE-2024-40586)
CVE-2024-40586 - February 11, 2025

An Improper Access Control vulnerability [CWE-284] in FortiClient Windows version 7.4.0, version 7.2.6 and below, version 7.0.13 and below may allow a local user to escalate his privileges via FortiSSLVPNd service pipe.

Authorization

Improper Auth via Empty Password in FortiClientMac 7.2.4 (MacOS)
CVE-2024-52968 8.4 - High - February 11, 2025

An improper authentication in Fortinet FortiClientMac 7.0.11 through 7.2.4 allows attacker to gain improper access to MacOS via empty password.

authentification

FortiClient Win <=7.4.0 Hard-Coded Key Exploits IPC Decryption
CVE-2024-50564 3.3 - Low - January 14, 2025

A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.

Use of Hard-coded Credentials

FortiClient VCM Engine Privilege Escalation Vulnerability
CVE-2020-15934 7.8 - High - December 19, 2024

An execution with unnecessary privileges vulnerability in the VCM engine of FortiClient for Linux versions 6.2.7 and below, version 6.4.0. may allow local users to elevate their privileges to root by creating a malicious script or program on the target machine.

Improper Privilege Management

FortiClient: Cleartext Storage of Sensitive Information in VPN Password Handling
CVE-2024-50570 - December 18, 2024

A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiClientWindows 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13 and FortiClientLinux 7.4.0 through 7.4.2, 7.2.0 through 7.2.7, 7.0.0 through 7.0.13 may permit a local authenticated user to retrieve VPN password via memory dump, due to JavaScript's garbage collector

Cleartext Storage of Sensitive Information

Fortinet FortiClientWindows Authentication Bypass via Named Pipe Spoofing
CVE-2024-47574 7.8 - High - November 13, 2024

A authentication bypass using an alternate path or channel in Fortinet FortiClientWindows version 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0 allows low privilege attacker to execute arbitrary code with high privilege via spoofed named pipe messages.

Missing Authentication for Critical Function

Fortinet FortiClientWindows DLL Hijacking Vulnerability
CVE-2024-36507 7.8 - High - November 12, 2024

A untrusted search path in Fortinet FortiClientWindows versions 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0 allows an attacker to run arbitrary code via DLL hijacking and social engineering.

Untrusted Path

FortiClient Windows Privilege Escalation via Lua Auto Patch Scripts
CVE-2024-36513 8.8 - High - November 12, 2024

A privilege context switching error vulnerability [CWE-270] in FortiClient Windows version 7.2.4 and below, version 7.0.12 and below, 6.4 all versions may allow an authenticated user to escalate their privileges via lua auto patch scripts.

Privilege Context Switching Error

FortiClient MacOS: Improper Verification of Cryptographic Signature in Installer
CVE-2024-40592 6.7 - Medium - November 12, 2024

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiClient MacOS version 7.4.0, version 7.2.4 and below, version 7.0.10 and below, version 6.4.10 and below may allow a local authenticated attacker to swap the installer with a malicious package via a race condition during the installation process.

Improper Verification of Cryptographic Signature

FortiClient Improper cert validation (CVE-2022-45856) Windows/Linux/Mac pre-7.2.5
CVE-2022-45856 5.9 - Medium - September 10, 2024

An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and  both the service provider and the identity provider.

Improper Certificate Validation

FortiClient 7.0-7.2 Improper Cert Validation Allows MITM (CVE-2024-31489)
CVE-2024-31489 8.1 - High - September 10, 2024

AAn improper certificate validation vulnerability [CWE-295] in FortiClientWindows 7.2.0 through 7.2.2, 7.0.0 through 7.0.11, FortiClientLinux 7.2.0, 7.0.0 through 7.0.11 and FortiClientMac 7.0.0 through 7.0.11, 7.2.0 through 7.2.4 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiGate and the FortiClient during the ZTNA tunnel creation

Improper Certificate Validation

FortiClient VPN iOS Cleartext Password Storage Vulnerability (CVE-2024-35282)
CVE-2024-35282 3.9 - Low - September 10, 2024

A cleartext storage of sensitive information in memory vulnerability [CWE-316] affecting FortiClient VPN iOS 7.2 all versions, 7.0 all versions, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an unauthenticated attacker that has physical access to a jailbroken device to obtain cleartext passwords via keychain dump.

Cleartext Storage of Sensitive Information in Memory

DHCP Client Leak via Classless Static Route (121)
CVE-2024-3661 7.6 - High - May 06, 2024

DHCP can add routes to a clients routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Missing Authentication for Critical Function

FortiClientMac External Control of File Name Vulnerability before 7.2.3 (CWE-73)
CVE-2024-31492 7.8 - High - April 10, 2024

An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0.10 and below installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configuration file in /tmp before starting the installation process.

External Control of File Name or Path

FortiClientLinux 7.0.3-7.2.0 Code Injection via Malicious Site
CVE-2023-45590 8.8 - High - April 09, 2024

An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute unauthorized code or commands via tricking a FortiClientLinux user into visiting a malicious website

Code Injection

SQLi in FortiClientEMS v7.2.07.2.2/v7.0.17.0.10 allows exec
CVE-2023-48788 9.3 - Critical - March 12, 2024

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

SQL Injection

FortiClient Windows DoS before 7.0.8 via named pipe
CVE-2022-40681 7.1 - High - November 14, 2023

A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to cause denial of service via sending a crafted request to a specific named pipe.

FortiClient Windows 7.0.9 Untrusted Search Path DLL Hijack via OpenSSL Engine
CVE-2023-41840 7.4 - High - November 14, 2023

A untrusted search path vulnerability in Fortinet FortiClientWindows 7.0.9 allows an attacker to perform a DLL Hijack attack via a malicious OpenSSL engine library in the search path.

Untrusted Path

Hard-Coded Credential Use in FortiClient 7.0.x/7.2.x Enables Bypass
CVE-2023-33304 5.5 - Medium - November 14, 2023

A use of hard-coded credentials vulnerability in Fortinet FortiClient Windows 7.0.0 - 7.0.9 and 7.2.0 - 7.2.1 allows an attacker to bypass system protections via the use of static credentials.

FortiClient <=7.2.0 Local Privileged Info Exposure Vulnerability (CWE-200)
CVE-2023-37939 3.3 - Low - October 10, 2023

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Windows 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions, Linux 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions and Mac 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions, 6.2 all versions, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.

FortiClient/Converter Windows local auth perm flaw 7.0.0-7.0.6,6.4.0-6.4.8
CVE-2022-33877 5.5 - Medium - June 13, 2023

An incorrect default permission [CWE-276] vulnerability in FortiClient (Windows) versions 7.0.0 through 7.0.6 and 6.4.0 through 6.4.8 and FortiConverter (Windows) versions 6.2.0 through 6.2.1, 7.0.0 and all versions of 6.0.0 may allow a local authenticated attacker to tamper with files in the installation folder, if FortiClient or FortiConverter is installed in an insecure folder.

Incorrect Default Permissions

FortiClient Windows <7.0.7: Permission & TOCTOU Race Command Exec
CVE-2022-43946 8.1 - High - April 11, 2023

Multiple vulnerabilities including an incorrect permission assignment for critical resource [CWE-732] vulnerability and a time-of-check time-of-use (TOCTOU) race condition [CWE-367] vulnerability in Fortinet FortiClientWindows before 7.0.7 allows attackers on the same file sharing network to execute commands via writing data into a windows pipe.

TOCTTOU

Relative Path Traversal in FortiClient (Windows) 6.0-7.0 via Named Pipe
CVE-2022-42470 7.8 - High - April 11, 2023

A relative path traversal vulnerability in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.

Directory traversal

FortiClientMac v7.0.0-7.0.7 Vulnerable to Local PrivEsc via No Integrity Check
CVE-2023-22635 7.8 - High - April 11, 2023

A download of code without Integrity check vulnerability [CWE-494] in FortiClientMac version 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions, 5.6 all versions, 5.4 all versions, 5.2 all versions, 5.0 all versions and 4.0 all versions may allow a local attacker to escalate their privileges via modifying the installer upon upgrade.

Download of Code Without Integrity Check

FortiClient Windows Named Pipe Auth Bypass 6.0-7.0 (v6-7)
CVE-2022-40682 7.8 - High - April 11, 2023

A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.

AuthZ

FortiClient Mac <=7.0.5 SSL-VPN Password Exposure via FortiTray logstream
CVE-2022-33878 5.5 - Medium - November 02, 2022

An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiClient for Mac versions 7.0.0 through 7.0.5 may allow a local authenticated attacker to obtain the SSL-VPN password in cleartext via running a logstream for the FortiTray process in the terminal.

Information Disclosure

Fortinet AV Engine Bypass via MIME Base64 (6.2.168/6.4.274)
CVE-2022-26122 8.6 - High - November 02, 2022

An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64.

Insufficient Verification of Data Authenticity

An execution with unnecessary privileges vulnerability [CWE-250] in FortiClientWindows 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.10 may
CVE-2022-26113 7.1 - High - July 19, 2022

An execution with unnecessary privileges vulnerability [CWE-250] in FortiClientWindows 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.10 may allow a local attacker to perform an arbitrary file write on the system.

Improper Privilege Management

A relative path traversal vulnerability [CWE-23] in FortiClient for Windows versions 7.0.2 and prior, 6.4.6 and prior and 6.2.9 and below may
CVE-2021-41031 7.8 - High - July 18, 2022

A relative path traversal vulnerability [CWE-23] in FortiClient for Windows versions 7.0.2 and prior, 6.4.6 and prior and 6.2.9 and below may allow a local unprivileged attacker to escalate their privileges to SYSTEM via the named pipe responsible for FortiESNAC service.

Directory traversal

A external control of file name or path in Fortinet FortiClientWindows version 7.0.2 and below, version 6.4.6 and below, version 6.2.9 and below, version 6.0.10 and below
CVE-2021-43066 7.8 - High - May 11, 2022

A external control of file name or path in Fortinet FortiClientWindows version 7.0.2 and below, version 6.4.6 and below, version 6.2.9 and below, version 6.0.10 and below allows attacker to escalate privilege via the MSI installer.

Exposure of Resource to Wrong Sphere

An incorrect permission assignment for critical resource vulnerability [CWE-732] in FortiClient for Linux version 6.0.8 and below, 6.2.9 and below, 6.4.7 and below, 7.0.2 and below may
CVE-2021-44167 7.5 - High - May 11, 2022

An incorrect permission assignment for critical resource vulnerability [CWE-732] in FortiClient for Linux version 6.0.8 and below, 6.2.9 and below, 6.4.7 and below, 7.0.2 and below may allow an unauthenticated attacker to access sensitive information in log files and directories via symbolic links.

Incorrect Permission Assignment for Critical Resource

An improper input validation vulnerability in FortiClient for Linux 6.4.x before 6.4.3, FortiClient for Linux 6.2.x before 6.2.9 may
CVE-2021-22127 8 - High - April 06, 2022

An improper input validation vulnerability in FortiClient for Linux 6.4.x before 6.4.3, FortiClient for Linux 6.2.x before 6.2.9 may allow an unauthenticated attacker to execute arbitrary code on the host operating system as root via tricking the user into connecting to a network with a malicious name.

Shell injection

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Linux version 7.0.2 and below, 6.4.7 and below and 6.2.9 and below may
CVE-2021-43205 5.3 - Medium - April 06, 2022

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Linux version 7.0.2 and below, 6.4.7 and below and 6.2.9 and below may allow an unauthenticated attacker to access the confighandler webserver via external binaries.

Information Disclosure

A improper initialization in Fortinet FortiClient (Windows) version 6.0.10 and below, version 6.2.9 and below, version 6.4.7 and below, version 7.0.3 and below
CVE-2021-44169 8.8 - High - April 06, 2022

A improper initialization in Fortinet FortiClient (Windows) version 6.0.10 and below, version 6.2.9 and below, version 6.4.7 and below, version 7.0.3 and below allows attacker to gain administrative privileges via placing a malicious executable inside the FortiClient installer's directory.

Improper Initialization

A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in FortiClientWindows, FortiClientLinux and FortiClientMac 7.0.1 and below, 6.4.6 and below may
CVE-2021-41028 7.5 - High - December 16, 2021

A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in FortiClientWindows, FortiClientLinux and FortiClientMac 7.0.1 and below, 6.4.6 and below may allow an unauthenticated and network adjacent attacker to perform a man-in-the-middle attack between the EMS and the FCT via the telemetry protocol.

Use of Hard-coded Credentials