CVE-2015-4077

Fortinet Forticlient < 5.2.3 - Information Disclosure

Title source: rule

Description

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.

Exploits (2)

nomisec WORKING POC 2 stars

by ApexPredator-InfoSec · poc

https://github.com/ApexPredator-InfoSec/forti_shield

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by sickness & mschenk · c++localwindows_x86-64

https://www.exploit-db.com/exploits/45149

View Code ZIP pw:eip

References (8)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html

[Mailing List] http://seclists.org/fulldisclosure/2015/Sep/0

[Vendor Advisory] http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities

[Vendor Advisory] http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/536369/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1033439

[Vendor Advisory] http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/45149/

Scores

EPSS 0.0021

EPSS Percentile 43.5%

Classification

CWE

CWE-200

Status draft

Affected Products (1)

fortinet/forticlient < 5.2.3

Timeline

Published Sep 03, 2015

Tracked Since Feb 18, 2026