Fortinet VPN-Only Client for Windows vulnerabilities

I’m new to Fortinet and recently ran a VM scan on my PC which indicated that the installed version of the Fortinet Client for Windows was vulnerable to FG-IR-22-336, FG-IR-22-429, and FG-IR-22-320. When I reported this to our IT service provider, they responded that “release-notes and CVE’s are for the full client. We install the VPN-only FortiClient which only has a small (VPN) subset of the functionality of it’s full counterpart. Therefore most of the release-notes and vulnerabilities are not applicable at all for this version.”

However, the Fortigate PSIRT does not appear to have a separate vulnerability category for vulnerabilities affecting the VPN-Only client, which makes me think that all vulnerabilities that affect the general FortiClient should be assumed also to affect the VPN-only client unless the CVE/FG states otherwise. Is this correct, or am I missing something? Thanks in advance for the help!

I did manually update my client to the latest version, but am considering how to handle this with our IT service provider going forward.

bottom line: The codebase is shared between EMS-managed and VPN-only version of the client. If a feature is available in both, it has the same code, and same vulnerabilities.

With that said, neither of the three mentioned vulns comments on what part of the FortiClient exactly is abused to perform the attack, so just by reading the public advisory it’s impossible to say if it’s EMS-specific or general. The sane choice is to assume that both are vulnerable.

Anyway, I had a quick look, and:
FG-IR-22-336 - both affected
FG-IR-22-429 - unclear, maybe?
FG-IR-22-320 - unclear, maybe?

TL;DR upgrade to 7.0.8

Thank you for your help!