CVE-2024-35281

An improper isolation or compartmentalization vulnerability [CWE-653] in FortiClientMac version 7.4.2 and below, version 7.2.8 and below, 7.0 all versions and FortiVoiceUCDesktop 3.0 all versions desktop application may allow an authenticated attacker to inject code via Electron environment variables.

CVSS v3 2.5 LOW

2.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.0 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-24-025	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:forticlient::::::macos::*
	cpe:2.3:a:fortinet:forticlient::::::macos::*
	cpe:2.3:a:fortinet:fortifone_softclient:::::desktop:-::

History

05 Feb 2026, 14:51

Type	Values Removed	Values Added
CPE	cpe:2.3:a:fortinet:fortifone_softclient::::::desktop::*	cpe:2.3:a:fortinet:fortifone_softclient:::::desktop:-::

19 Nov 2025, 13:35

Type	Values Removed	Values Added
References	~~() https://fortiguard.fortinet.com/psirt/FG-IR-24-025 -~~	() https://fortiguard.fortinet.com/psirt/FG-IR-24-025 - Vendor Advisory
First Time		Fortinet Fortinet fortifone Softclient Fortinet forticlient
CPE		cpe:2.3:a:fortinet:forticlient::::::macos::* cpe:2.3:a:fortinet:fortifone_softclient::::::desktop::*
Summary		(es) Una vulnerabilidad de aislamiento o compartimentación inadecuada [CWE-653] en la aplicación de escritorio FortiClientMac versión 7.4.2 y anteriores, versión 7.2.8 y anteriores, 7.0 todas las versiones y FortiVoiceUCDesktop 3.0 todas las versiones puede permitir que un atacante autenticado inyecte código a través de variables de entorno de Electron.

13 May 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-13 15:15

Updated : 2026-02-05 14:51

NVD link : CVE-2024-35281

Mitre link : CVE-2024-35281

CVE.ORG link : CVE-2024-35281

JSON object : View

Products Affected

fortinet

forticlient
fortifone_softclient

CWE

CWE-653

Improper Isolation or Compartmentalization

{"id": "CVE-2024-35281", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-05-13T15:15:52.060", "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-025", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-653"}]}], "descriptions": [{"lang": "en", "value": "An improper isolation or compartmentalization vulnerability [CWE-653] in FortiClientMac version 7.4.2 and below, version 7.2.8 and below, 7.0 all versions and FortiVoiceUCDesktop 3.0 all versions desktop application may allow an authenticated attacker to inject code via Electron environment variables."}, {"lang": "es", "value": "Una vulnerabilidad de aislamiento o compartimentaci\u00f3n inadecuada [CWE-653] en la aplicaci\u00f3n de escritorio FortiClientMac versi\u00f3n 7.4.2 y anteriores, versi\u00f3n 7.2.8 y anteriores, 7.0 todas las versiones y FortiVoiceUCDesktop 3.0 todas las versiones puede permitir que un atacante autenticado inyecte c\u00f3digo a trav\u00e9s de variables de entorno de Electron."}], "lastModified": "2026-02-05T14:51:34.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*", "vulnerable": true, "matchCriteriaId": "6C849529-C78C-4DE7-B2EA-FFF29FF9972F", "versionEndExcluding": "7.2.9", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*", "vulnerable": true, "matchCriteriaId": "96EF5BCC-56D3-4218-80A2-085F8B63D83A", "versionEndExcluding": "7.4.3", "versionStartIncluding": "7.4.0"}, {"criteria": "cpe:2.3:a:fortinet:fortifone_softclient:*:*:*:*:desktop:-:*:*", "vulnerable": true, "matchCriteriaId": "6CE41DB7-AA21-42E2-84E1-52C724DF54DB", "versionEndIncluding": "3.0.16", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}