CVE-2025-57716 is a vulnerability classified as an Uncontrolled Search Path Element (CWE-427) found in Fortinet's FortiClient Windows software versions 7.0.0, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.3. The flaw arises because the FortiClient Online Installer improperly handles the DLL search path, allowing a local attacker with low privileges to place a malicious DLL in the installation directory. When the installer or FortiClient executes, it may load the malicious DLL instead of the legitimate one, resulting in arbitrary code execution with the privileges of the running process. This type of DLL hijacking attack exploits the search order Windows uses to locate DLLs, which can be manipulated if the search path is not securely controlled. The vulnerability requires local access and user interaction, as the attacker must place the DLL and trigger the installer or client execution. The CVSS v3.1 score of 6.0 reflects medium severity, with high impact on confidentiality, integrity, and availability, but with higher attack complexity and required privileges limiting ease of exploitation. No public exploits or active exploitation have been reported as of the publication date. The vulnerability affects multiple recent FortiClient versions, widely used for endpoint security and VPN access, making it a relevant concern for organizations relying on Fortinet solutions for secure remote access and endpoint protection.

If exploited, this vulnerability could allow a local attacker to execute arbitrary code with the privileges of the FortiClient process, potentially leading to full compromise of the endpoint. This could result in unauthorized access to sensitive data, disruption of security controls, and persistence on the affected system. Given FortiClient's role in endpoint security and VPN connectivity, successful exploitation could undermine network security by enabling attackers to bypass protections, intercept communications, or move laterally within an organization. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk in environments where multiple users share systems or where attackers can gain initial footholds with low privileges. The impact spans confidentiality, integrity, and availability, as attackers could steal data, modify system behavior, or cause denial of service. Organizations with large deployments of FortiClient on Windows endpoints, especially in sectors with high security requirements, face increased risk of targeted attacks leveraging this vulnerability.

Organizations should immediately verify if their FortiClient Windows installations fall within the affected versions (7.0.0, 7.2.0-7.2.11, 7.4.0-7.4.3) and apply any available patches or updates from Fortinet as soon as they are released. In the absence of patches, administrators should restrict write permissions on the FortiClient Online Installer installation folder to prevent unauthorized DLL placement, limiting access to trusted administrators only. Employ application whitelisting to prevent execution of unauthorized DLLs and binaries within the FortiClient directories. Monitor file system changes in the installation folder for suspicious activity. Educate users about the risks of running installers or clients from untrusted locations and enforce the principle of least privilege to reduce the likelihood of local privilege escalation. Additionally, consider deploying endpoint detection and response (EDR) solutions to detect anomalous DLL loading or process behavior related to FortiClient. Regularly audit local user permissions and system configurations to minimize attack surface. Finally, maintain robust incident response plans to quickly address any suspected exploitation attempts.