Cyber Resilience

CVE-2026-24018

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24018 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Fortinet Forticlient. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-24018 is a UNIX symbolic link (symlink) following vulnerability, classified under CWE-61, affecting Fortinet FortiClientLinux in versions 7.4.0 through 7.4.4 and 7.2.2 through 7.2.12. Published on 2026-03-10, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity and no user interaction required.

A local attacker with unprivileged (low-privilege) access can exploit this vulnerability to escalate privileges to root level. By leveraging symlink traversal, the attacker can manipulate file operations performed by the affected FortiClientLinux components, potentially leading to unauthorized access, modification, or execution with root permissions.

Fortinet has issued advisory FG-IR-26-083, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-083, which provides details on the vulnerability, affected versions, and recommended mitigations or patches for security practitioners to apply.

EU & UK References

Vulnerability details

A UNIX symbolic link (Symlink) following vulnerability in Fortinet FortiClientLinux 7.4.0 through 7.4.4, FortiClientLinux 7.2.2 through 7.2.12 may allow a local and unprivileged user to escalate their privileges to root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via symlink following vulnerability (CWE-61) in a privileged process, matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-62676Same product: Fortinet Forticlient
CVE-2024-52968Same product: Fortinet Forticlient
CVE-2023-45588Same product: Fortinet Forticlient
CVE-2024-40591Same product class: VPN / SSL gateway
CVE-2025-64157Same product class: VPN / SSL gateway
CVE-2020-9295Same product: Fortinet Forticlient
CVE-2026-22153Same product class: VPN / SSL gateway
CVE-2025-25249Same product class: VPN / SSL gateway
CVE-2024-46668Same product class: VPN / SSL gateway
CVE-2025-53844Same product class: VPN / SSL gateway

Affected Assets

fortinet
forticlient
7.2.2 — 7.2.13 · 7.4.0 — 7.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly prevents exploitation of CVE-2026-24018 by applying Fortinet patches that correct the symlink following vulnerability in FortiClientLinux.

prevent

Least privilege restricts the scope of privilege escalation possible via symlink manipulation by ensuring FortiClientLinux processes operate with minimal necessary permissions.

prevent

Access enforcement ensures proper authorization checks during file operations, mitigating symlink traversal that bypasses controls in privileged FortiClientLinux components.

References