Lucene search
K

Fortinet FortiClient Local privilege escalation in XPC services (FG-IR-25-016) (macOS)

🗓️ 13 May 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 11 Views

Fortinet FortiClient on macOS has local privilege escalation vulnerability in XPC services (FG-IR-25-016).

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2025-25251
28 May 202508:15
attackerkb
BDU FSTEC
The vulnerability of the FortiClient for MAC protection mechanism lies in its authentication procedures’ flaws, which allow attackers to escalate their privileges.
18 Aug 202500:00
bdu_fstec
Circl
CVE-2025-25251
28 May 202508:19
circl
CNNVD
Fortinet FortiClientMAC 安全漏洞
28 May 202500:00
cnnvd
CNVD
Fortinet FortiClientMAC Authorization Issue Vulnerability (CNVD-2025-12790)
11 Jun 202500:00
cnvd
CVE
CVE-2025-25251
28 May 202507:53
cve
Cvelist
CVE-2025-25251
28 May 202507:53
cvelist
EUVD
EUVD-2025-16290
3 Oct 202520:07
euvd
NVD
CVE-2025-25251
28 May 202508:15
nvd
OSV
CVE-2025-25251
28 May 202508:15
osv
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(235827);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/13");

  script_cve_id("CVE-2025-25251");

  script_name(english:"Fortinet FortiClient Local privilege escalation in XPC services (FG-IR-25-016) (macOS)");

  script_set_attribute(attribute:"synopsis", value:
"remote Mac host is affected by a privilege escalation.");
  script_set_attribute(attribute:"description", value:
"The version of FortiClient installed on the remote host is prior to tested version. It is, therefore, affected by a
vulnerability as referenced in the FG-IR-25-016 advisory.

  - An Incorrect Authorization vulnerability [CWE-863] in FortiClient Mac may allow a local attacker to
    escalate privileges via crafted XPC messages. (CVE-2025-25251)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.fortiguard.com/psirt/FG-IR-25-016");
  script_set_attribute(attribute:"solution", value:
"For 7.0.x, see vendor advisory. For 7.2.x, upgrade to FortiClient version 7.2.9 or later. For 7.4.x, upgrade to
FortiClient version 7.4.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-25251");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/05/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/05/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:fortinet:forticlient");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macos_forticlient_detect.nbin");
  script_require_keys("installed_sw/FortiClient (macOS)");

  exit(0);
}

include('vcf.inc');

if (empty_or_null(get_kb_item('Host/local_checks_enabled'))) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_kb_item('Host/MacOSX/Version'))) audit(AUDIT_OS_NOT, 'Mac OS');

var app_name = 'FortiClient (macOS)';
var app_info = vcf::get_app_info(app:app_name);

var constraints = [
  { 'min_version' : '7.0', 'fixed_version' : '7.0.999999', 'fixed_display' : 'See vendor advisory' },
  { 'min_version' : '7.2.0', 'max_version' : '7.2.8', 'fixed_version' : '7.2.9' },
  { 'min_version' : '7.4.0', 'max_version' : '7.4.2', 'fixed_version' : '7.4.3' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

13 May 2025 00:00Current
8.6High risk
Vulners AI Score8.6
CVSS 3.17.8
EPSS0.00173
SSVC
11