CVE-2025-57716 is an Uncontrolled Search Path Element vulnerability (CWE-427) identified in Fortinet FortiClient for Windows, specifically versions 7.0.0, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.3. The vulnerability arises because FortiClient's Online Installer improperly handles DLL loading paths, allowing a local attacker with low privileges to place a malicious DLL in the installation directory. When FortiClient executes, it loads the malicious DLL instead of the legitimate one, enabling execution of unauthorized code or commands. This DLL hijacking attack requires the attacker to have local access to the system and the ability to write to the installation folder, which may be restricted by default. The attack complexity is high, and user interaction is required, as indicated by the CVSS vector (AV:L/AC:H/PR:L/UI:R). The vulnerability impacts confidentiality, integrity, and availability, potentially allowing privilege escalation and persistent compromise of the affected endpoint. No public exploits have been reported yet, but the vulnerability is officially published and assigned a CVSS score of 6.0 (medium severity). FortiClient is widely used in enterprise environments for endpoint security and VPN access, making this vulnerability relevant for organizations relying on Fortinet products for network security.

For European organizations, this vulnerability poses a risk of local privilege escalation and unauthorized code execution on endpoints running vulnerable FortiClient versions. Successful exploitation could lead to compromise of sensitive data, disruption of endpoint security functions, and potential lateral movement within corporate networks. Organizations in sectors with strict regulatory requirements for data protection, such as finance, healthcare, and critical infrastructure, may face compliance risks if this vulnerability is exploited. The need for local access and user interaction limits remote exploitation but insider threats or compromised user accounts could leverage this vulnerability. Additionally, the persistence of malicious DLLs could evade detection and complicate incident response efforts. Given FortiClient's widespread deployment in European enterprises, the vulnerability could affect a significant number of endpoints, increasing the attack surface.

To mitigate CVE-2025-57716, organizations should immediately review and restrict write permissions on FortiClient Online Installer directories to prevent unauthorized DLL placement. Implement application whitelisting and endpoint detection solutions to monitor and block suspicious DLL loads. Educate users about the risks of executing untrusted installers and the importance of maintaining endpoint hygiene. Fortinet should be contacted to obtain and apply patches or updates addressing this vulnerability as soon as they become available. Regularly audit endpoints for unauthorized DLLs in FortiClient directories and employ integrity monitoring tools. Additionally, consider isolating critical systems and enforcing least privilege principles to reduce the impact of potential local exploits. Incident response plans should be updated to include detection and remediation steps for DLL hijacking scenarios.