Arbitrary file deletion from unprivileged users

Summary

An incorrect authorization [CWE-863] vulnerability in FortiClient (Windows) may allow a local low privileged attacker to perform arbitrary file deletion in the device filesystem.

Version Affected Solution
FortiClientWindows 7.2 Not affected Not Applicable
FortiClientWindows 7.0 7.0.0 through 7.0.7 Upgrade to 7.0.8 or above
FortiClientWindows 6.4 6.4.0 through 6.4.8 Upgrade to 6.4.9 or above
FortiClientWindows 6.2 6.2 all versions Migrate to a fixed release
FortiClientWindows 6.0 6.0 all versions Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thank Daniel Hulliger from Armasuisse CYD Campus for reporting this vulnerability under responsible disclosure.

Timeline

2023-10-10: Initial publication