CVE-2025-57716 is an Uncontrolled Search Path Element vulnerability (CWE-427) found in Fortinet FortiClient for Windows versions 7.0.0, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.3. The vulnerability arises because the FortiClient Online Installer improperly handles DLL loading paths, allowing a local low-privileged user to perform a DLL hijacking attack. By placing a malicious DLL in the installation folder, the attacker can trick the FortiClient installer or related processes into loading the malicious DLL instead of the legitimate one. This leads to unauthorized code execution with the privileges of the FortiClient process, potentially escalating privileges or executing arbitrary commands. The CVSS 3.1 score of 6.0 reflects medium severity, with an attack vector limited to local access (AV:L), high attack complexity (AC:H), requiring low privileges (PR:L) and user interaction (UI:R). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning successful exploitation can fully compromise the system. No public exploits or active exploitation have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is the insecure search path for DLLs during installation, a common vector for local privilege escalation. Fortinet has not yet provided patch links, so organizations must implement interim mitigations until official fixes are released.

For European organizations, this vulnerability poses a significant risk especially to those relying on FortiClient for endpoint security and VPN access. Successful exploitation can lead to local privilege escalation, allowing attackers to execute arbitrary code with elevated privileges, potentially compromising sensitive data, disrupting operations, or establishing persistent footholds. This is particularly critical for sectors like finance, government, healthcare, and critical infrastructure where Fortinet products are widely deployed. The requirement for local access and user interaction limits remote exploitation but insider threats or compromised endpoints could leverage this vulnerability to escalate privileges. The high impact on confidentiality, integrity, and availability means that exploitation could lead to data breaches, system manipulation, or denial of service. Given FortiClient’s role in securing remote access and endpoint protection, exploitation could undermine broader network security postures in affected organizations.

Until official patches are released by Fortinet, European organizations should implement the following mitigations: 1) Restrict write permissions to the FortiClient Online Installer folder and related directories to prevent unauthorized DLL placement by low-privileged users. 2) Employ application whitelisting or allowlisting to block execution of unauthorized DLLs or binaries in FortiClient directories. 3) Monitor file system changes and audit DLL loads within FortiClient processes to detect suspicious activity. 4) Educate users to avoid running untrusted installers or software that could drop malicious DLLs. 5) Use endpoint detection and response (EDR) tools to identify anomalous process behavior related to FortiClient. 6) Prepare for rapid deployment of Fortinet patches once available by maintaining up-to-date asset inventories and patch management processes. 7) Consider isolating or limiting local user privileges on systems running FortiClient to reduce attack surface. These targeted steps go beyond generic advice by focusing on the specific attack vector and environment of the vulnerability.