FortiClient (Windows) - Arbitrary file write as SYSTEM

Summary

An execution with unnecessary privileges vulnerability [CWE-250] in FortiClientWindows may allow a local attacker to perform an arbitrary file write on the system.

Affected Products

FortiClientWindows version 6.0.0 through 6.0.10
FortiClientWindows version 6.2.0 through 6.2.9
FortiClientWindows version 6.4.0 through 6.4.7
FortiClientWindows version 7.0.0 through 7.0.3

Solutions

Please upgrade to FortiClientWindows 7.0.4 or above.
Please upgrade to FortiClientWindows 6.4.8 or above.

Acknowledgement

Fortinet is pleased to thank David Yesland from Rhino Security Labs for bringing this issue to our attention under responsible disclosure.