FortiClient Linux - Command injection vulnerability


An OS command injection (CWE-78) vulnerability in FortiClient for Linux may allow an unauthenticated, network-adjacent attacker to execute privileged and arbitrary commands on the Linux appliance on which FortiClient is running by tricking the user into connecting to a network with a malicious name (SSID).

A successful attack requires that the attacker has control over the access point the host is connected to. 

Affected Products

FortiClient for Linux versions 6.2.8 and below.
FortiClient for Linux versions 6.4.2 and below.


Please upgrade to FortiClient for Linux version 6.2.9 or above.
Please upgrade to FortiClient for Linux version 6.4.3 or above.


Internally discovered and reported by Mattia Fecit of Fortinet PSIRT team.