There is an unquoted search path vulnerability in Forcepoint VPN Client for Windows versions lower than 6.6.1. When the VPN Client starts, usually during the Windows boot sequence, it incorrectly tries to execute programs in the following locations:

"C:\Program.exe"
"C:\Program Files (x86)\Forcepoint\VPN.exe"

If an unauthorized user has planted an executable in one of these locations, the VPN Client would execute it, enabling SYSTEM level privilege escalation.

All VPN Client for Windows versions lower than 6.6.1 are vulnerable.

Forcepoint has reserved CVE-2019-6145 to identify and track this issue with an assigned CVSSv3 Base Score of 6.5 (Medium). [CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H]

Forcepoint thanks Peleg Hadar of SafeBreach Labs for finding this vulnerability and for reporting it to us.

To fix this vulnerability, upgrade to VPN Client for Windows version 6.6.1 or higher.

To prevent the vulnerability in affected versions of the VPN Client, prohibit non-administrator users from creating or copying executables to the following paths:

"C:\"
"C:\Program Files (x86)\Forcepoint\"

By default, only local administrators can write to these directories.