The new vulnerability is an authentication bypass issue that stems from improper access control in the FortiClient EMS API. It allows attackers to execute code on the underlying server without valid credentials or user interaction.
“The two vulnerabilities have not been confirmed as linked, and attribution to a specific threat actor has not been established,” the watchTowr researchers said.
Mitigation and response
In addition to the hotfix, organizations should review their available logs for any suspicious API requests and activity. Unfortunately, there are no published indicators of compromise for this malicious activity yet, so watchTowr recommends auditing all recent changes made to endpoint security policies, VPN configuration profiles, application firewall rules, administrator accounts and access controls, and endpoint compliance configurations.
