CVE-2025-57716 is an Uncontrolled Search Path Element vulnerability (CWE-427) affecting Fortinet FortiClient for Windows versions 7.0.0, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.3. The vulnerability arises because the FortiClient Online Installer improperly handles DLL loading paths, allowing a local user with low privileges to place a malicious DLL in the installation directory. When the installer or associated processes load DLLs, they may load the malicious DLL instead of the legitimate one, enabling the attacker to execute arbitrary code with the privileges of the FortiClient process. Exploitation requires local access, user interaction, and has a high attack complexity, but successful exploitation can compromise confidentiality, integrity, and availability of the affected system. The CVSS v3.1 score is 6.0 (medium severity), reflecting these factors. No public exploits are known at this time, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability affects multiple major FortiClient versions widely used in enterprise environments for endpoint security and VPN access.

For European organizations, this vulnerability poses a risk of local privilege escalation and unauthorized code execution on endpoints running vulnerable FortiClient versions. Successful exploitation could allow attackers to bypass endpoint security controls, access sensitive data, disrupt VPN connectivity, or establish persistent footholds within corporate networks. This is particularly impactful for organizations relying on FortiClient for secure remote access, such as financial institutions, government agencies, and critical infrastructure operators. The compromise of endpoint integrity can lead to lateral movement, data exfiltration, or ransomware deployment. Although exploitation requires local access and user interaction, insider threats or social engineering could facilitate attacks. The medium severity rating suggests a moderate but non-trivial risk that should be mitigated to protect confidentiality, integrity, and availability of corporate assets.

1. Apply vendor patches immediately once released to address the DLL hijacking vulnerability. 2. Until patches are available, restrict write permissions on the FortiClient Online Installer folder to prevent unauthorized DLL placement, limiting this to trusted administrators only. 3. Implement application whitelisting to prevent execution of unauthorized DLLs or binaries in FortiClient directories. 4. Monitor file system changes and use endpoint detection tools to alert on suspicious DLL additions or modifications in FortiClient installation paths. 5. Educate users about the risks of executing untrusted installers or files and enforce least privilege principles to reduce the risk of local exploitation. 6. Conduct regular audits of endpoint security configurations and FortiClient installations to ensure compliance with security policies. 7. Consider network segmentation and endpoint isolation to limit the impact of a compromised device. 8. Maintain up-to-date antivirus and endpoint detection and response (EDR) solutions capable of detecting DLL hijacking attempts.