CVE-2022-33877: 
FortiClient vulnerability analysis and mitigation

An incorrect default permissions vulnerability (CVE-2022-33877) was discovered in FortiClient (Windows) versions 7.0.0 through 7.0.6 and 6.4.0 through 6.4.8, as well as FortiConverter (Windows) versions 6.2.0 through 6.2.1, 7.0.0 and all versions of 6.0.0. The vulnerability was initially published on June 12, 2023, and affects the installation folder permissions of these applications (Fortinet Advisory).

The vulnerability is classified as CWE-276 (Incorrect Default Permissions) and received a CVSS v3.1 base score of 5.5 (Medium) from NIST NVD, while Fortinet assigned it a higher CVSS score of 7.0 (High). The vulnerability specifically relates to improper access control in the installation folder, which could be exploited if the software is installed in an insecure location (NVD, Fortinet Advisory).

If exploited, this vulnerability allows a local authenticated attacker to tamper with files in the installation folder of FortiClient or FortiConverter when these applications are installed in an insecure folder location (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiClientWindows version 7.0.7 or above, FortiClientWindows version 6.4.9 or above, FortiConverter version 7.0.1 or above, or FortiConverter version 6.2.2 or above (Fortinet Advisory).

The vulnerability was responsibly disclosed by Konrad Haase from Control Gap, and Fortinet acknowledged their contribution in identifying this security issue (Fortinet Advisory).