CVE-2023-22635: 
FortiClient vulnerability analysis and mitigation

A download of code without Integrity check vulnerability (CWE-494) was discovered in FortiClientMac, affecting versions from 4.0 through 7.0.7. The vulnerability was internally discovered and reported by Eric Hu of Fortinet Software Development team and was initially published on April 11, 2023 (Vendor Advisory).

The vulnerability is classified as a download of code without integrity check issue (CWE-494). It has been assigned a CVSS v3.1 base score of 7.8 HIGH (NIST) and 7.3 HIGH (Fortinet), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires local access and low privileges to exploit (NVD).

The vulnerability allows a local attacker to escalate their privileges by modifying the installer during the upgrade process. This could potentially lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (Vendor Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiClientMac version 7.0.8 or above, or alternatively to FortiClientMac version 7.2.0 or above (Vendor Advisory).