Researchers at SafeBreach Labs recently discovered a privilege escalation vulnerability in the Forcepoint VPN client for Windows. The affected products are 6.6.0 and lower versions of Forcepoint VPN Client for Windows software. This vulnerability can be used not only to increase the privilege of an attacker but also to allow an attacker to gain access to an infected system for a long time.
The lack of a quoted string between the path of the executable program of the VPN program and the parameters in the command line causes the startup process to split itself when parsing the space character, thereby causing the vulnerability. When a hacker implants a malicious program in C:\Program.exe and C:\Program Files(x86)\Forcepoint\VPN.exe, the VPN program will automatically execute the malicious program and raise the hacking authority to the system level. However, a local attacker must have administrator privileges to exploit this vulnerability.
Currently, Forcepoint has released the relevant patches and recommends that users update to 6.6.1 or higher as soon as possible.