Fortinet FortiClient < 5.2.3 - Local Privilege Escalation via Fortishield.sys Ioctl Calls
The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl call.