A critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software is now actively being exploited in attacks, security researchers have revealed. This security flaw, tracked as CVE-2023-48788, is an SQL injection in the DB2 Administration Server (DAS) component discovered by the UK’s National Cyber Security Centre (NCSC).

The vulnerability affects FortiClient EMS versions 7.0 and 7.2, allowing unauthenticated threat actors to gain remote code execution (RCE) with SYSTEM privileges on unpatched servers in low-complexity attacks that do not require user interaction. Fortinet has released a security advisory explaining the vulnerability, stating that it allows unauthorized code or commands to be executed via specifically crafted requests.

Although Fortinet did not initially disclose that CVE-2023-48788 was being used in attacks, the advisory has since been updated to confirm that the vulnerability is being exploited in the wild. Security researchers from Horizon3’s Attack Team published a technical analysis and shared a proof-of-concept (PoC) exploit one week after Fortinet released security updates to address the flaw.

To execute RCE attacks using Horizon3’s exploit code, modifications must be made to use the Microsoft SQL Server xp_cmdshell procedure to spawn a Windows command shell for code execution. Shodan currently identifies over 440 FortiClient Enterprise Management Server (EMS) servers exposed online, with more than 300 found by the Shadowserver threat monitoring service, mostly in the United States.

In February, Fortinet patched another critical RCE bug (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy, which was also being potentially exploited in the wild. Following the patch release, CISA confirmed that CVE-2024-21762 was actively being exploited and directed federal agencies to secure their FortiOS and FortiProxy devices within seven days.

Fortinet’s security vulnerabilities are frequently exploited for ransomware attacks and cyber espionage campaigns, often using zero-day exploits to gain unauthorized access to corporate networks.

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles