CVE-2020-9295
Published: 17 March 2025
Summary
CVE-2020-9295 is a medium-severity Improperly Implemented Security Check for Standard (CWE-358) vulnerability in Fortinet Antivirus Engine. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked in the top 46.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2020-9295 by requiring timely remediation of the flaw in the antivirus engine through patching to newer AV engine versions in affected FortiOS and FortiClient products.
Addresses the vulnerability by mandating deployment, updating, and configuration of malicious code protection mechanisms, including enabling Virus Outbreak Prevention on FortiGate and real-time scanning on FortiClient to detect malicious RAR archives.
Ensures organizations receive and act on vendor advisories like the FortiGuard PSIRT advisory for CVE-2020-9295, facilitating prompt updates to vulnerable antivirus engine versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows bypassing initial AV detection for malformed RAR archives containing malicious files, facilitating evasion of security tools.
NVD Description
FortiOS 6.2 running AV engine version 6.00142 and below, FortiOS 6.4 running AV engine version 6.00144 and below and FortiClient 6.2 running AV engine version 6.00137 and below may not immediately detect certain types of malformed or non-standard RAR archives,…
more
potentially containing malicious files. Based on the samples provided, FortiClient will detect the malicious files upon trying extraction by real-time scanning and FortiGate will detect the malicious archive if Virus Outbreak Prevention is enabled.
Deeper analysisAI
CVE-2020-9295 is a vulnerability in the antivirus engine of certain Fortinet products that causes failure to immediately detect specific malformed or non-standard RAR archives potentially containing malicious files. It affects FortiOS 6.2 running AV engine version 6.00142 and below, FortiOS 6.4 running AV engine version 6.00144 and below, and FortiClient 6.2 running AV engine version 6.00137 and below.
A remote, unauthenticated attacker can exploit this over the network with low attack complexity by tricking a user into interacting with the malicious RAR archive, such as attempting to open or process it. This bypasses the initial detection scan, resulting in low integrity impact with a changed scope, as reflected in the CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). While exploitation requires user interaction, FortiClient will detect the malicious files during extraction via real-time scanning, and FortiGate will detect the archive if Virus Outbreak Prevention is enabled.
Mitigation details are available in the FortiGuard PSIRT advisory at https://fortiguard.com/psirt/FG-IR-20-037.
Details
- CWE(s)