CVE-2026–24018: A Logic flaw to Local Privilege Escalation 0day $$$

CVE-2026–24018: A Logic flaw to Local Privilege Escalation 0day $$$ | by Febin - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original CVE-2026–24018: A Logic flaw to Local Privilege Escalation 0day $$$ My first CVE of 2026. A UNIX symbolic link (Symlink) following vulnerability in Fortinet FortiClientLinux 7.4.0 through 7.4.4… Febin Follow ~4 min read · April 1, 2026 (Updated: April 1, 2026) · Free: Yes My first CVE of 2026. A UNIX symbolic link (Symlink) following vulnerability in Fortinet FortiClientLinux 7.4.0 through 7.4.4, FortiClientLinux 7.2.2 through 7.2.12 that allow a local and unprivileged user to escalate their privileges to root. Discovery Interesting Feature I was working with Fortinet Forticlient VPN client on my Ubuntu VM and I noticed an interesting feature while adding a new VPN connection in the ForticlientLinux app that is "Client Certificate > Smart Card > Import PKCS11 Library". Using this feature, users can import a shared library (.so) that can handle Smart Card authentication. Flaw 1 The Forticlient VPN client is installed globally on the system, that means any local user on the system can create/edit/delete VPN connections on the system. This means, any low privileged local user can import Smart card pkcs11 shared library. You don't necessarily need the GUI app to do the configuration, Forticlient has it's own CLI version which is bundled together along with the GUI app. Can you exploit this behaviour directly? No. When I try to exploit this by creating a shared library and importing it into Forticlient, it refused to accept the evil shared library because there is a validation mechanism that checks if the Shared Library is owned by root. If the Shared Library is not owned by root, the configuration just fails. It doesn't work! The next couple of questions that arised on my mind are: How do we bypass the validation? Do the execution happen in the context of root or the user who started the VPN connection/application? To answer the second question, you can either give your shared library root ownership (for testing) or you can find the answer for the first question. I followed the second approach, that is, find the answer to the first question. Flaw 2: The Bypass What if the path to the Shared library which we supply to the Forticlient VPN connection is a Symlink to an actual shared library owned by root? And then later we change/replace the original Symlink to point to another "evil" shared library which is owned by the local user? I tried this apporach, and for this I used a shared library of FortiClient itself. Delete the original Symlink and replace it with another symlink that points to evil Shared library Open the FortiClient GUI app to verify if the Shared library has been invoked and executed. The code inside the evil Shared Library has been executed in root context An interesting fact about this bug is that, you do not need an actual VPN connection, every data is dummy and you only need to open the FortiClient app once to trigger the bug. The Exploit I made a fully working exploit that will give you root shell from a low privileged user. https://github.com/febin0x10/Fortinet_FortiClient_Exploit_CVE-2026-24018 Demo Video: https://github.com/febin0x10/Fortinet_FortiClient_Exploit_CVE-2026-24018/raw/refs/heads/main/FortiClient_exploit.mp4 Report, Disclosure and Reward: I reported the vulnerability along with a working exploit to ZeroDay Initiative and got rewarded https://www.zerodayinitiative.com/advisories/ZDI-26-186/ Remediation: Upgrade Fortinet FortiClient to the latest Version References: https://www.zerodayinitiative.com/advisories/ZDI-26-186/ https://www.fortiguard.com/psirt/FG-IR-26-083 https://nvd.nist.gov/vuln/detail/CVE-2026-24018 #exploit #vulnerability-research #security-research #cybersecurity #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).