CVE-2015-4077

FortiClient < 5.2.3 - Unauthorized Kernel Memory Read via mdare Driver ioctl

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-4077. PoCs published by sickness & mschenk, ApexPredator-InfoSec.

AI-analyzed exploit summary This exploit targets CVE-2015-5736, a privilege escalation vulnerability in FortiShield.sys. It leverages memory leaks and ROP chains to achieve arbitrary code execution in kernel mode, ultimately spawning a command prompt with elevated privileges.

Description

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.

Exploits (2)

exploitdb WORKING POC VERIFIED

by sickness & mschenk · c++localwindows_x86-64

https://www.exploit-db.com/exploits/45149

View Code ZIP pw:eip

This exploit targets CVE-2015-5736, a privilege escalation vulnerability in FortiShield.sys. It leverages memory leaks and ROP chains to achieve arbitrary code execution in kernel mode, ultimately spawning a command prompt with elevated privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: FortiShield.sys (Fortinet FortiClient)

No auth needed

Prerequisites: Access to the vulnerable system · Presence of FortiShield.sys driver · Ability to interact with the driver via DeviceIoControl

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by ApexPredator-InfoSec · poc

https://github.com/ApexPredator-InfoSec/forti_shield