Fortinet’s Hidden Threat: How One Click Could Hand Over Your Enterprise

In the world of enterprise cybersecurity, Fortinet is a household name. Its software defends thousands of organizations—banks, hospitals, governments—from cyberattacks every day. But a new research series from security firm Sonar reveals a serious blind spot: a cluster of vulnerabilities that, when chained together, allows attackers to compromise entire organizations with as little as a single user click.

The first installment of Sonar’s three-part exposé focuses on CVE-2025-22855—a deceptively simple flaw that opens a dangerous door. At the center of the issue is FortiClient, Fortinet’s endpoint security application, and its communication with FortiClient Endpoint Management Server (EMS). The architecture is meant to offer centralized control. Instead, it may have handed attackers a turnkey path into enterprise networks.

The Weak Link: FortiClient’s Protocol Handler

FortiClient’s cross-platform UI is built on Electron, a popular framework that has raised security eyebrows in the past. Through Electron’s protocol handler, Fortinet allows the application to register special URLs—like fabricagent://ems?inviteCode=...—to streamline EMS onboarding. For users, this means easy VPN setup and endpoint management. For attackers, it’s an irresistible attack vector.

Clicking one malicious link is all it takes.

"FortiClient accepts these EMS invite links without any validation or user consent," explained researchers. Worse, even if the client is currently locked to a secure EMS, it will silently switch over to the one in the link—potentially a rogue server operated by an attacker.

From that point on, things escalate quickly.

Inside the Malicious EMS Playbook

A compromised EMS can’t immediately run arbitrary code on a client, but it can push HTML messages through FortiClient’s messaging feature. The FortiClient UI, running on a dangerously outdated version of Electron (11.1.1 and Chromium 87), opens that message in a webview using the insecure file:// protocol. That’s where the real trouble begins.

Webviews loaded via file:// can read local files, and because all FortiClient windows use the same origin, they share access to localStorage—a treasure trove of data, including previous EMS connection info. That means once an attacker compromises a device, they can quietly reconnect to the original EMS, posing as a legitimate client.

More disturbingly, the outdated Electron version lacks modern sandboxing and includes known vulnerabilities like CVE-2021-21224, a type confusion flaw in Chromium’s TurboFan engine. By adapting an exploit targeting this bug, Sonar was able to demonstrate full remote code execution on macOS—culminating in the attacker opening the Calculator app, a classic proof-of-concept stunt that conceals much darker implications.

Fortinet Downplays the Severity

Despite the serious ramifications—arbitrary code execution, full machine compromise, EMS impersonation—Fortinet initially rated CVE-2025-22855 as a low-severity issue (CVSS 2.6), suggesting the risk was limited to malicious administrators sending JavaScript.

Sonar disagreed. "The score doesn’t reflect reality," their team stated. “This is a one-click RCE with organizational takeover potential.” Fortinet did patch the issue, but did not revise the CVSS score, even after receiving detailed technical feedback.

CVE-2025-22855 was one of five vulnerabilities disclosed to Fortinet starting in November 2024. All have now been patched in recent versions of FortiClient, EMS, FortiOS, and FortiProxy, but Sonar urges customers not to be lulled into complacency by the modest severity scores.

A Wake-Up Call for Supply Chain Security

The findings highlight a persistent problem in enterprise security: trusted vendors with deep infrastructure hooks may be unintentionally expanding the attack surface. Fortinet’s integration of Electron for endpoint security—without timely updates or modern hardening—is a cautionary tale.

For adversaries, user behavior is often the easiest way in. For defenders, assuming vendor tools are secure by default is a dangerous gamble.

“This is just the first part,” Sonar warned. In their next entry, they’ll reveal how a malicious FortiClient endpoint—post-compromise—can exploit EMS itself.

In the meantime, organizations running Fortinet products should review the patch guidance immediately:

• FortiClientMac: Update to 7.4.3 or 7.2.9 for CVE-2025-25251

• FortiClient EMS: Update to 7.4.3 to patch CVE-2025-22855 and CVE-2025-22859

• FortiOS/FortiProxy: Update to 7.6.3 or 7.4.8 for CVE-2025-31366

As enterprises embrace greater centralization and endpoint orchestration, this incident underscores a vital truth: convenience for IT can also be convenience for attackers.

Until then, one click remains one too many.