CVE-2022-40682: 
FortiClient vulnerability analysis and mitigation

An incorrect authorization vulnerability (CVE-2022-40682) was discovered in Fortinet FortiClient (Windows) versions 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, and 6.0.0 through 6.0.10. The vulnerability was initially published on April 11, 2023, and was reported by Daniel Hulliger from Armasuisse CYD Campus under responsible disclosure (Fortinet Advisory).

The vulnerability is classified as an incorrect authorization issue (CWE-863) that allows an attacker to execute unauthorized code or commands by sending a crafted request to a specific named pipe. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows a local low privileged attacker to perform arbitrary file creation in the device filesystem and execute unauthorized code or commands (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiClientWindows version 7.2.0 or above, or alternatively to FortiClientWindows version 7.0.8 or above (Fortinet Advisory).