Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (forcepoint) · only source for this CVE.
CVSS VectorVendor: forcepoint
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: versions 6.11.3 and prior.
AnalysisAI
Local privilege escalation in Forcepoint VPN Client for Windows versions 6.11.3 and prior allows an authenticated low-privileged local user to elevate to SYSTEM. The flaw stems from execution with unnecessary privileges (CWE-250) and carries a CVSS 4.0 score of 8.5, but no public exploit identified at time of analysis. The vulnerability was reported and disclosed by Forcepoint PSIRT itself rather than a third party.
Technical ContextAI
Forcepoint VPN Client is the Windows endpoint agent that establishes IPsec/SSL tunnels to Forcepoint NGFW/Sidewinder gateways and runs persistent privileged services to manage network adapters, routing, and policy enforcement. The CWE-250 classification (Execution with Unnecessary Privileges) indicates that a SYSTEM-level component of the client performs operations on behalf of the logged-in user without sufficiently dropping or restricting privileges - common patterns include privileged services that load user-controlled files, expose insecure named pipes/IPC, invoke binaries from writable locations, or honor user-supplied paths. The scope-unchanged CVSS vector confirms the elevation is confined to the local Windows host but yields full Confidentiality, Integrity, and Availability impact (VC:H/VI:H/VA:H) consistent with NT AUTHORITY\SYSTEM compromise.
RemediationAI
Patch available per vendor advisory - upgrade Forcepoint VPN Client for Windows to a version released after 6.11.3 as directed in the Forcepoint Security Advisory at https://support.forcepoint.com/s/article/Security-Advisory-Local-Privilege-Escalation-in-VPN-Client-for-Windows; the advisory should be consulted for the exact fixed build number since it was not enumerated in the provided data. Until patching is complete, compensating controls include restricting interactive logon on endpoints that run the VPN client to trusted users only (which limits who can stage a local exploit but does not help against malware-initiated abuse), enforcing application allow-listing via WDAC or AppLocker to block unsigned helper binaries that an LPE chain may rely on, and monitoring EDR for suspicious child processes spawned by the Forcepoint VPN service or unexpected writes into its install directory; note that uninstalling or stopping the client service eliminates the vulnerability but also removes VPN connectivity, which is rarely acceptable for remote workers.
More in Vpn Client
View allAn Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CV
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allo
An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client through 2.2.10 allows an attacker to gain elevated
The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a
Cisco VPN Client 5.x through 5.0.07.0440 uses weak permissions for vpnclient.ini, which allows local users to gain privi
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. Rated medium sev
An issue was discovered in Aviatrix Controller before 5.4.1204. Rated medium severity (CVSS 5.3), this vulnerability is
Aviatrix VPN Client before 2.14.14 on Windows has an unquoted search path that enables local privilege escalation to the
Untrusted search path vulnerability in Cisco VPN Client 5.0 allows local users to gain privileges via a Trojan horse DLL
The VPN driver in Cisco VPN Client on Windows does not properly interact with the kernel, which allows local users to ca
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210063
GHSA-8w99-hmp7-97xw