FortiClient (Windows) - Arbitrary file deletion from unprivileged users

Summary

An incorrect authorization [CWE-863] vulnerability in FortiClient (Windows) may allow a local low privileged attacker to perform arbitrary file deletion in the device filesystem.

Version Affected Solution
FortiClientWindows 7.2 Not affected Upgrade to 7.2.0 or above
FortiClientWindows 7.0 7.0.0 through 7.0.7 Upgrade to 7.0.8 or above
FortiClientWindows 6.4 6.4.0 through 6.4.8 Upgrade to 6.4.9 or above
FortiClientWindows 6.2 6.2 all versions Migrate to a fixed release
FortiClientWindows 6.0 6.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Fortinet is pleased to thank Daniel Hulliger from Armasuisse CYD Campus for reporting this vulnerability under responsible disclosure.

Timeline

2023-10-10: Initial publication