CVE-2025-62676

HIGH

FortiClientWindows 7.0-7.4.4 - Arbitrary File Write via Crafted Named Pipe Messages

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-62676. PoCs published by SpacePlant.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-62676, targeting FortiClient via a named pipe vulnerability to achieve local privilege escalation (LPE). The exploit leverages a DLL injection technique to interact with FortiClient's named pipe and execute privileged file operations.

Description

An Improper Link Resolution Before File Access ('Link Following') vulnerability [CWE-59] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.4, FortiClientWindows 7.2.0 through 7.2.12, FortiClientWindows 7.0 all versions may allow a local low-privilege attacker to perform an arbitrary file write with elevated permissions via crafted named pipe messages.

Exploits (1)

nomisec WORKING POC
by SpacePlant · poc
https://github.com/SpacePlant/FortiLPE

This repository contains a functional exploit for CVE-2025-62676, targeting FortiClient via a named pipe vulnerability to achieve local privilege escalation (LPE). The exploit leverages a DLL injection technique to interact with FortiClient's named pipe and execute privileged file operations.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FortiClient
No auth needed
Prerequisites: Local access to the target system · FortiClient installed and running
devstral-2 · analyzed Jun 06, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.1
EPSS 0.0021
EPSS Percentile 11.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-59
Status published
Products (1)
fortinet/forticlient 7.0.0 - 7.2.13
Published Feb 10, 2026
Tracked Since Feb 18, 2026