Cyber Posture

CVE-2026-24018

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24018 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Fortinet Forticlient. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly prevents exploitation of CVE-2026-24018 by applying Fortinet patches that correct the symlink following vulnerability in FortiClientLinux.

AC-6 Least Privilege partial match
prevent

Least privilege restricts the scope of privilege escalation possible via symlink manipulation by ensuring FortiClientLinux processes operate with minimal necessary permissions.

AC-3 Access Enforcement partial match
prevent

Access enforcement ensures proper authorization checks during file operations, mitigating symlink traversal that bypasses controls in privileged FortiClientLinux components.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct local privilege escalation via symlink following vulnerability (CWE-61) in a privileged process, matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A UNIX symbolic link (Symlink) following vulnerability in Fortinet FortiClientLinux 7.4.0 through 7.4.4, FortiClientLinux 7.2.2 through 7.2.12 may allow a local and unprivileged user to escalate their privileges to root.

Deeper analysisAI

CVE-2026-24018 is a UNIX symbolic link (symlink) following vulnerability, classified under CWE-61, affecting Fortinet FortiClientLinux in versions 7.4.0 through 7.4.4 and 7.2.2 through 7.2.12. Published on 2026-03-10, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity and no user interaction required.

A local attacker with unprivileged (low-privilege) access can exploit this vulnerability to escalate privileges to root level. By leveraging symlink traversal, the attacker can manipulate file operations performed by the affected FortiClientLinux components, potentially leading to unauthorized access, modification, or execution with root permissions.

Fortinet has issued advisory FG-IR-26-083, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-083, which provides details on the vulnerability, affected versions, and recommended mitigations or patches for security practitioners to apply.

Details

CWE(s)
CWE-61

Affected Products

fortinet
forticlient
7.2.2 — 7.2.13 · 7.4.0 — 7.4.5

CVEs Like This One

CVE-2025-62676Same product: Fortinet Forticlient
CVE-2024-52968Same product: Fortinet Forticlient
CVE-2023-45588Same product: Fortinet Forticlient
CVE-2025-64157Same product class: VPN / SSL gateway
CVE-2020-9295Same product: Fortinet Forticlient
CVE-2026-22153Same product class: VPN / SSL gateway
CVE-2024-26006Same product class: VPN / SSL gateway
CVE-2025-59718Same product class: VPN / SSL gateway
CVE-2024-26009Same product class: VPN / SSL gateway
CVE-2024-45324Same product class: VPN / SSL gateway

References